Dominic Rota[*]

Introduction

The monumental technological advances of computer systems in recent years have given birth to a new battleground of warfare: cyberspace. The international legal regime, however, has not caught up to the threats posed by existing technologies, nor developed an adequate consensus on what is beyond the pale. Furthermore, the cyber arms race is on the verge of becoming even more dangerous as quantum computing technology will become a reality in the not-so-distant future.

The competition to create the first viable quantum computer is heating up, as quantum computers offer the ability to cripple militaries and topple the global economy.[2] Quantum computers will likely be able to break all modern encryption schemes, including those on which the banking, communications, defense, and healthcare industries rely.[3] Because quantum computers have the ability to perform calculations in simultaneity and perform factoring operations vastly more efficiently than conventional computers, a single quantum computer could hijack even the strongest of encryption schemes in less time “than it takes to snap one’s fingers.”[4] As Dr. Arvind Krishna, the Director of IBM Research, recently stated, “[a]nyone that wants to make sure that their data is protected for longer than 10 years should move to alternate forms of encryption now.”[5] We could see the first workable quantum computer in little more than five years.[6]

The United States likely still possesses the advantage in quantum computer development.[7] Indeed, American technological titans such as Microsoft, IBM, Intel, and Google have made massive investments in quantum computing over the past few years.[8] Most recently, the U.S. House of Representatives unanimously passed the National Quantum Initiative Act (“NQIA”).[9] The NQIA would direct the President to implement a “National Quantum Initiative Program” to accelerate the research and development of quantum computing science and its applications in technology.[10] The NQIA calls for approximately $1.275 billion in funding for the program in its first five years.[11]

The U.S.’s lead, however, may diminish as other nations and their companies aggressively work to catch up. The European Union (“EU”) has made quantum research a “flagship project” over the next decade, committing to investing upwards of €1 billion to research, more than five times the current U.S. government allocation.[12] Meanwhile, China leads the international community in “non-hackable quantum-enabled satellites” and possesses the world’s fastest supercomputers.[13]

And while nations compete with one another in quantum innovation, the laws governing cyberwarfare remain indeterminate and unsettled. Do cyberattacks rise to the level of an armed attack, such that they warrant a formal act of “self-defense” or a declaration of war against a sovereign nation? Perhaps it is not surprising that the international community has yet to implement a legal framework to regulate cyberattacks and warfare. Perhaps there are no simple answers to the questions the advent of cyberwarfare presents. But what is surprising is that there has been so little progress at the international level in establishing uniform expectations of state conduct, considering that this long-speculated-about possibility has largely become a reality. Yet cyberattacks and cyberwarfare still demand the legal practitioner consider “issues of self-protection, the ability to fend off (or deny) an attack, attribution about the source of attack, and effectiveness of response.”[14]

This Article addresses the challenges of establishing a unified legal framework over the “modern arms race” of quantum computers and other cyber operations, and explores potential solutions for the international governance over cyberwarfare. I argue that a uniform international policy and legal framework is needed, as opposed to the mere hope that a technology-based solution will protect developed nations against attacks by quantum computers. Although a technology-based solution, such as the development of quantum-resistant algorithms and technologies, could indeed provide a means of defense for developed nations, such a solution is not viable for those states without the technological capability to shield against attacks from quantum computers.

Part I provides a brief introduction to the history of modern-day encryption technologies, as well as how major public-key encryption schemes protect against threats emanating from the weaponization of conventional computers. Part II provides an explanation of how a quantum computer exploits the basic tenets of quantum mechanics, and demonstrates how quantum computers could swiftly penetrate encryption schemes. Part III turns to legal analysis, and the current theoretical challenges in establishing a concrete international legal regime to address the threat of cyberwarfare in general.

Finally, Part IV proposes a number of approaches the international community may take to address the approaching threat posed by quantum computing. It analyzes the use of force in cyberattacks, a perennial challenge in international law.

I.          Overview of Encryption Technology

As the global community becomes increasingly reliant on the electronic communication of sensitive information (e.g. trade secrets, medical records, and bankcard information), “the rewards for intercepting that information grow.”[15] Both private and public sector entities have sought to ensure security and protection for their private data.[16] Encryption technologies, perhaps “the most important technological breakthrough in the last . . . thousand years,”[17] have enabled the safe and secure transmission of private data in the Information Age.

The basic idea of contemporary encryption is intuitive. An encryption algorithm is a method that uses a large, secret number called a key, to encrypt the message to be secured, called the plaintext.[18] On the other end, a computer that receives the ciphertext transmission and knows the key that was used for encryption can easily translate it back into to the plaintext.[19] A computer that intercepted the ciphertext but did not know the key would be unable to make sense of it; without the key, the message is nonsense. Moreover, internet encryption uses keys that are at least 128-bit numbers, with a minimum of around 3.40 × 1038 possibilities for each key.[20] It would take years for a conventional computer to guess a given key by working its way through all the possibilities.[21]

The internet relies on an ingenious technique called public-key cryptography to scale the benefits of encryption to an internet that relies on members of the general public interacting in ways meant to be kept secret with third-parties with whom they have no relationship and therefore no previously agreed upon private key.[22] Public-key cryptography generates a publicly available key from a secret key that is ultimately necessary to decrypt the data.[23] This two-stage process allows public users of the internet to transmit encrypted information that could only be decrypted by the holder of the private key.[24] This technique underlies most encryption on the internet, including that which safeguards financial transactions and personal information.[25]

Public-key encryption is difficult for an intercepting computer to break. While many of the most commonly used methods could be broken by efficiently factoring the long public keys, this is a notoriously difficult mathematical operation when the public key is of substantial length.[26] Fortunately, there are no known efficient factoring algorithms that can run on traditional computers.[27] A 232-digit number took scientists two years to factor running hundreds of computers in parallel.[28] Breaking the codes that shield information on the internet, then, is comfortably beyond the capabilities of governments, saboteurs, and terrorist organizations. But, by harnessing the counterintuitive principles of quantum mechanics, quantum computers can be vastly more efficient at factoring large numbers. Consequently, the mass of information on the internet protected by public-key encryption could be vulnerable to exposure by even a relatively weak quantum computer.

II.          Overview of Quantum Computing Technology

Transistors are the basic building block of modern computing; as a general matter, the smaller a transistor can be fabricated, the greater the computing power resident in a given physical space on a computer chip. Current computers are built on classical, or Newtonian, mechanics,[29] but quantum computers are built on transistors of individual atoms, a scale we are already approaching.[30] This is the secret to the promise and threat of quantum computing, and goes beyond merely fitting more transistors into the same amount of space. By storing information in continuous, rather than binary variables, quantum computers will deliver a computing power qualitatively different from traditional computing.

A.    The “Qubit”

In standard computers, the transistors, which are part of an integrated circuit, switch “on” or “off” to pass or block electrical pulses.[31] A bit is a piece of data that is represented by either the binary values “1” or “0,” representing the functions of “on” or “off,” respectively.[32] This mechanical architecture underlies the binary structure of contemporary computing information. Information, in the form of bits, is fed through a processor, which completes calculations iteratively, or one-at-a-time, according to algorithms established by the software’s coding.[33]

In quantum computers, the qubit is equivalent to the classical computer’s bit. A qubit is a more powerful mechanism of information storage, though, because it exploits the superposition principle, a fundamental feature of quantum mechanics.[34] The superposition principle permits the storage of information as continuous variables rather than discrete, binary variables. In other words, a qubit is a probabilistic distribution that can encode an infinite number of values between 0 and 1. Classical computers can only store information in 0s and 1s, and all the complex calculations they perform are built upon combinations of 0s and 1s. In contrast, quantum computers will be able to store information in a probabilistic distribution of infinite values between 0 and 1, and the calculations of the combinations of this distribution can be incomprehensibly complex.

More importantly for the fate of the global encryption paradigm, quantum computers are theorized to not only be faster, but also qualitatively better at factoring, jeopardizing the system of public-key encryption on which the internet relies. Indeed, in 1994, long before the first quantum computers were built, MIT Professor Peter Shor developed an algorithm that uses quantum, continuous variables to factor large numbers vastly more efficiently than scientists believe can be done with binary variables and traditional computers.[35] The promise of this algorithm has been demonstrated in small scale experiments with quantum computers.[36] In short, when it comes to cracking public-key encryption, quantum computers will be guessing in a manner which far exceeds the computational power of existing classical computing.

B.    Quantum Encryption: Fighting Fire with Fire

Since nations and private corporations possess an interest in developing quantum computing technology, much of today’s international efforts in this field are directed towards creating “next-generation cryptography that is ‘quantum proof.’”[37] The mission of post-quantum cryptography, or “quantum-resistant cryptography,” is to develop systems secure against assaults by both quantum and classical computers.[38] First, many hope that quantum-proof encryption can be developed on classical computers by developing encryption schemes that are not vulnerable to rapid factoring.[39] The United States Department of Commerce’s National Institute of Standards and Technology (NIST), “initiated a process to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms”[40] which would be able to run on classical computers. At the end of 2017, the NIST accepted approximately seventy submissions of candidate quantum-resistant algorithms, all of which were explored and reviewed at a national conference in 2018.[41]

Second, researchers are working on ways of encrypting information using quantum computing. The first quantum-resistant transaction took place in 2004, when Viennese researchers exploited the phenomenon of photon entanglement to transfer a €3,000 deposit into their bank account.[42] Three years later, a Swiss company used quantum encryption technology to protect the results of an election in Geneva.[43] In 2017, China launched the world’s first “quantum satellite,” which the Pentagon deemed a “notable advance.” This satellite used the first space-to-ground quantum key technology used to establish “hack-proof” communications.[44]

Most of this encryption relies on quantum key distribution, a form of quantum encryption that exploits the quantum mechanical properties of photons (particles of light), which move in a particular direction (or polarization) while vibrating.[45] Similar to sunglasses, polarized filters in quantum key distribution systems only allow photons with certain polarizations to pass through.[46] At the sender’s end of a fiber optic network, a laser generates a series of single photons, each in one or two polarizations: vertical, representing a “1”, or horizontally, representing a “0”.[47] At the receiver’s end, the polarization of the photon is measured.[48] If a hacker intercepts the photon, it is compromised due to the collapse of the energy state, reflecting a value different from the value of probabilistic distribution between polarizations of 0 and 1. This renders it impossible for the hacker to send an accurate duplicate of the photon.[49] Thus, if the values of the key do not match between, then the key is discarded, alerting the communicating parties that they are being bugged.[50]

Despite the promising developments in developing quantum-proof encryption technology, it is still a relatively nascent field, with such research “far behind the progress of quantum computers themselves.”[51] Furthermore, despite the fact that researchers have made progress in securing transactions and interactions between sending and receiving parties, the technology has not addressed the security of data “at rest.”[52] Indeed, the developments of defensive measures may prove to be too little, too late, as the prospect of quantum cyberwarfare becomes a reality. Thus, while the international community should certainly try to play catch-up in innovating defensive responses to quantum computing, it must also address the need for global cooperation with regard to cyberattacks and cyberwarfare.

1. Quantum Computing Attack: A Case Study with the 2007 E-Stonia Attacks

There is no doubt that conventional methods of cyberattack (e.g. worms, Trojans, phishing, denial-of-service, ransomware, spyware, etc.) can be effective in targeting computer information systems, networks, and infrastructures, for the purposes of stealing, altering, or destroying information and data. But quantum computing offers remarkable efficiency in piercing encryption schemes and would dramatically increase potential cyber-exposure. To demonstrate the ease by which quantum computers could cripple a nation, a quantum computing attack will be contrasted with that of a conventional form of cyberattack, the distributed denial-of-service (“DDoS”), which was the primary tool for Russian-sponsored cyber-attackers in the Estonian incident of 2007.[53]

By 2007, Estonia had established so impressive a computer network that it had been nicknamed “e-Stonia”.[54] In the context of rising geopolitical tensions with its larger neighbor Russia, Estonia suffered what was at the time the most comprehensive cyberattack in history.[55] Using the method of “distributed denial-of-service” (DDoS), Russian-backed operatives maintained the assault for approximately twenty-two days, causing blackouts in Estonia’s major commercial banks, telecoms, media outlets, and other essential government servers.[56]

The aim of a DDoS attack is to “cut off users from a server or network by overwhelming it with requests for service.”[57] While standard denial-of-service attacks involve a single attack upon a single victim, the DDoS requires hordes of compromised computers, or “bots,” to carry out a single task in unison.[58] Essentially, when the cyberattacker, or “botmaster,” has infected and converted a sufficient number of vulnerable systems, it forms a “botnet” of zombie computer systems.[59] In turn, this botnet, controlled by the botmaster, sends a flood of requests to a target server or network, resulting in the overload or complete collapse of its functionality.[60] This form of attack merely denies internet users the capacity to access important functions over the web server.

An attack from a quantum computer could be fundamentally different. Whereas the DDoS attack against Estonia was a form of technological carpet-bombing, a quantum computer attack can be far more precise; a clinically efficient sniper. Quantum computers would not be focused on denying access, but rather infiltrating and gaining access to the system through parallel, computational factoring; the attacker would be able to steal, alter or destroy encrypted information. Had a quantum computing attack been employed in Estonia in 2007, the citizens could have faced far greater consequences, potentially including the absolute loss of confidential information necessary for functioning in a national economy.

In the present landscape, intelligence agencies around the world are archiving intercepted communications that have been transmitted through existing encryption technologies, which, as discussed, are currently mathematically uncrackable.[61] They wish that through quantum computing they will soon be able to decrypt this presumably valuable information.[62] Other rogue actors, however, see quantum computing as more than an intelligence gathering tool. Indeed, it could be a means to attack the banking and financial systems at the heart of any regional and/or global economy.[63]

III.          The International Conundrum

Computer systems across the globe are more linked than ever before. Because of this, “information can, and does, travel between networks at distances that make it difficult to predict the ripple effects of an action with any precision.”[64] Quantum computing technology has the capacity to breach encryption at any node along the information highway. Yet, despite the international community’s continuous talk of the danger of cyberattacks, efforts to harmonize global cooperation have been “rudimentary.”[65]

Discourse on cyberwarfare has arisen from the law of international armed conflict. Despite discussion in the abstract, it was not until the 2007 cyberattacks on Estonia that the international community moved to discuss in earnest cyberspace as a domain of war.[66] In response to those attacks, the North Atlantic Treaty Organization (NATO) established the Cooperative Cyber Defense Centre of Excellence (NATO CCD COE) in Tallinn, Estonia. A few years later, the CCD COE invited an independent group of experts to produce a manual on the international law governing cyber warfare, which became the Tallinn Manual 1.0 on the International Law Applicable to Cyber Warfare.[67] The use of cyber weapons continued, notably by Russia during its war with Georgia in 2008[68] and by Israel and the United States against Iran in 2010,[69] prompting the CCD COE to invite a new International Group of Experts to expand the Tallinn Manual’s scope to include governance of cyber operations during peacetime. This project developed into the preeminent treatise on cyber operations of today: Tallinn Manual 2.0 on the International Law Applicable to Cyber Warfare.[70] Although NATO’s product has spurred international cooperation in the area of cyberwarfare, it has not been internationally adopted as a legal protocol for war- and peace-time cyber operations. In fact, it is silent on the indirect effects of cyberattacks and their relationship to international criminal law, trade law, or intellectual property law, for example.[71]

While major efforts have been directed towards defining cyber operations within the scope of armed conflict, developed nations continue to suffer substantial economic losses as a result of international cybercrime and cyberespionage.[72] A 2014 report by the Center for Strategic and International Studies reports the economic costs of malicious cyber activity as averaging 0.8% of global gross domestic product.[73] Considering this amounts to losses in the hundreds of billions of dollars, the use of cyber operations to economically cripple a nation or trade group appears to be a viable means of conducting covert warfare.

The ideal solution to prevent cyberwarfare would be the formulation of an international agreement, either through existing international or regional organizations, or the development of a novel international coalition. Before this can happen, however, the international community must navigate a labyrinth of uncertainty around issues of attribution of cyber operations. Moreover, the international community has yet to take its first turn in this maze: adequately defining “cyberwarfare” and “cyberattacks.”

A.    Defining a “Cyber Attack”

Achieving a concerted international effort is challenging because of perennial ambiguity surrounding the definition of “cyberattack” and how to differentiate military cyber operations from civilian cyber espionage, which has prevented coordination and understanding between countries.[74] Moreover, the discussions thus far have not accounted for the heightened threat posed by quantum computers.

In the past several years, various organizations have attempted to create uniform definitions. In 2010, the U.S. Joint Chiefs of Staff defined a “cyberattack” as a “hostile act using computer or related networks or systems, and intended to disrupt and/or destroy an adversary’s critical cyber systems, assets, or functions.”[75] In 2012, Professor Oona Hathaway and Rebecca Crootof made their own attempt at devising a broad definition of a cyberattack: “[a] cyberattack consists of any action taken to undermine the functions of a computer network for a political or national security purpose.”[76] For its part, the Tallinn Manual offered the following definition: “[a] cyberattack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destructions to objects.”[77]

None of these definitions, however, explicitly addresses the potential effects of a cyberattack on a state’s broader infrastructure. The Tallinn Manual’s definition, indeed, arguably fails to grapple with a variety of risks, including: the scrambling of financial records or a stock market crash; a false electronic signal causing a nuclear reactor to power down; an electronic blackout of air traffic control systems; an exposure of medical, educational, and personal information; or even an entire shut-down of large segments of the electrical grid.[78] Debate continues regarding the appropriate, essential language that captures the critical elements of a “cyberattack,” but does not permit an overly-broad construction.[79]

Another challenge in codifying a definition of cyberattack arises from the fact that nation-states are often unable to determine whether an attack was civilian or military in origin,[80] or more importantly, whether the attack was ordered by a hostile state or committed by a rogue private actor.[81] The difficulty of attributing cyberattacks lies in the fact that there are “generally no flags being flown, no soldiers to question, and no physical weapons to determine the country of origin.”[82] Moreover, there is generally a considerable amount of time that elapses before it is clear from which actor or nation the attack originated.[83] Due to the common practice of intentional misdirection by cyber actors, many scholars and legal practitioners have criticized the very notion of expanding the U.N.’s construction of self-defense under Article 51 to include responses to alleged cyberattacks.[84] If sovereign nations lack the capacity to accurately (and timely) determine the source of an attack, acting in self-defense is unwise, critics argue, given the substantial risk of misdirected retaliation.[85]

Despite this uncertainty, some nations and private organizations have attempted to form coalitions to address impending threats, including the power of quantum computers.

B.    Current Global Efforts

This section discusses the current lay of the land regarding international governance over cyberwarfare, and its readily apparent inadequacies in combating the potential threat of quantum computing-enabled attacks. To demonstrate the fragmented nature of international policy, this part is further divided into sections outlining the (1) international military efforts and (2) civilian efforts with respect to information security and data privacy.

1. International Military Efforts

A few months after the U.S. National Institute of Standards and Technology launched a post-quantum cryptography project “designed to identify quantum-resistant public-key cryptographic algorithms,”[86] Congressman Michael McCaul, Chairman of the House Homeland Security Committee, stated the need for a “coalition of like-minded nations to prepare for the quantum future and ensure [the international community] ha[s] the right cyber defenses in place when it comes.”[87] Yet, with the dawn of quantum computers approaching, efforts to institutionalize international cooperation on cyber governance lag behind.[88] This is largely due to states’ reluctance to restrict their sovereign control of cyberspace.[89]

Indeed, in cyberspace, state sovereignty extends beyond physical borders, reaching “any cyber infrastructure located on their territory and activities associated with that cyber infrastructure.”[90] Cyberspace includes the following layers: physical, logical, and social.[91] The physical layer of cyberspace “comprises the physical network components” such as cables, routers, servers, and computers; the logical layer consists of “connections that exist between network devices” including “applications, data, and protocols” permitting exchange of information across the physical layer; and the social layer pertains to “individuals and groups engaged in cyber activities.”[92]

It is no wonder, then, why states, particularly developed nations, would be reluctant to surrender potential cyber weapons.[93] Such cyber operations provide military commanders highly-preferable alternatives to traditional warfare.[94] Indeed, they can allow the military to attack enemy forces while minimizing the risk of death and injury to friendly forces, allies, or civilians.[95] Moreover, many cyberattacks are likely to be much cheaper than equivalent conventional attacks.[96]

In 2014, NATO, at its summit in Wales, recognized that a cyberattack may rise to the same level of harmfulness as a conventional attack.[97] It also established two institutional structures designed to respond to the threat of cyberwarfare: 1) the Cyber Defense Management Board, and 2) the NATO Cooperative Cyber Defense Centre of Excellence.[98] The Cyber Defense Management Board has generated a Computer Incident Response Capability (NCIRC) to protect its own system infrastructure and the NATO CCD COE, as discussed above, has been instrumental in shaping a framework of international law through the publication of the Tallinn Manual 1.0 and Tallinn Manual 2.0.[99]

2.  Civilian-Based and Private-Sector Efforts

The bulk of the global effort to shape the law of cyberwar has fallen on organizations concerned with non-military conceptions of information security and data privacy. Perhaps the most prominent is the European Union’s “Network & Information Security (NIS) directive,” which has taken substantial measures to improve cooperation on cyber security.[100] The Directive takes a three-pronged approach: 1) requiring EU states to implement minimal-level national capabilities by establishing Computer Emergency Response Teams (CERTs); 2) encouraging state authorities to cooperate and effectively coordinate across the integrated EU network; and 3) developing a risk-management protocol by which information is shared effectively between private- and public-sector regimes.[101] Moreover, in 2017, the European Commission dedicated €1 billion to quantum technology research.[102] Hopefully, these advances will generate an additional series of directives by the EU, and perhaps push state authorities to consider viable civilian defense strategies with an understanding of the revolutionary potential of quantum technology.

International and regional cybercrime suppression treaties have also included provisions for global cooperation in cyber operations.[103] Examples of these treaties include the Council of Europe’s Convention on Cybercrime and the League of Arab States’ Arab Convention on Combating Information Technology Offenses.[104] These agreements provide for “mutual assistance” to investigations or proceedings concerning criminal offenses related to computer systems and data, and for gathering of electronic evidence.[105] The Council of Europe’s Convention on Cybercrime additionally bans a wide variety of criminal activity such as system and data interception and interference, as well as the theft of intellectual property.[106] Still, however, the Convention does not adequately address the possibility of cyberwarfare. Indeed, it does not address cyberattacks in the context of warfare.[107] Further, by its structure, it lacks enforcement protocols to ensure adherence.[108] Thus, despite it being a binding treaty, the lack of enforcement mechanisms in the protocol renders the agreement rather malleable, only “partially develop[ing] cooperative behavior” amongst the signatory states.[109]

Another approach, encouraged by the Tallinn Manual 2.0, is to encourage the United Nations’ authorization of regional organizations to conduct enforcement action against cyber threats.[110] However, the promotion of regional cooperation has been at most a “piecemeal” effort.[111] Consider the Association of Southeastern Asian Nations (ASEAN) Convention on Counter-Terrorism (ACCT), which includes cyber operations as an “area of cooperation” among its member states.[112] Though it promotes the importance of taking a cooperative effort in combating cyberattacks, by its nature ASEAN remains dissociated from the efforts of other regional cooperative alliances.

Ultimately, these efforts will be largely ineffective if the world’s powerful military rivals, particularly the United States, Russia, and China, are unwilling to enter into a binding international agreement that limits their offensive cyber warfare capabilities.

IV.          Approaches to International Uniformity on Cyber Policy

Thus far, this Article has identified several obstacles to achieving uniform international policy on the governance of cyberwarfare, and explained why such uniform governance will be necessary to safeguard information as quantum computers become commercially available. Part A of Section IV, which explains three existing models of analyzing cyberattacks as “force” or “armed conflict,” explores the means by which the international community may scrutinize the use of militarized quantum computing and suggests a possible framework for nation-states to adopt. Part B analyzes the challenges in establishing internationally binding protocols and conventions against the use of weaponized quantum computers.

A.    Ascertaining an Approach to Analyzing the Force of Cyber Attacks

In contrast to traditional attacks, cyberattacks may be threatening primarily because of their indirect effects.[113] Often, these indirect results arise from their sheer unpredictability.[114] For example, a virus that may have been intended for a particular target may accidentally replicate from the target-point and propagate elsewhere, resulting in greater damage than anticipated.[115] Indeed, quantum computing attacks that decrypt widely-used encryption systems will have implications for the global internet. Thus, while quantum computers are in the early stages of technological maturity, it is imperative that the international community clarify its definition of cyberattack.

There are three major methods of analyzing the force of cyberattacks: instrument-based, target-based, and effects-based approaches.[116] Each framework has its respective advantages and disadvantages, and the solution likely resides somewhere in between.

The first approach to analyzing the force of cyberattacks is the “instruments-based” approach, which focuses on the technique utilized in an attack.[117] In other words, this approach emphasizes the inherent differences among the forms of cyberattack.[118] This framework has been widely adopted by international agreements that address “conventional weapons” (e.g., chemical weapons), but has faced major criticism in application to cyberattacks. More specifically, scholars argue that the adoption of such a protocol for cyberattacks could prevent nations from responding to certain categories of attacks, even if the consequences of the attack extended far-beyond the intended target. Furthermore, with technology rapidly evolving, categorically excluding certain forms of attack is problematic, given that a more “enhanced” version of such technological means could rise to the level of force required for national response.[119] Nevertheless, as will be discussed below, the instrument-based approach could be of value when addressing the prospect of weaponized quantum computers.

The second approach, the “target-based” model, centers the legal analysis on the target of the attack.[120] This is problematic because countries may define their own “critical” infrastructure in idiosyncratic ways, and could arbitrarily expand or contract the definition of a cyberattack as it applies to them.[121] However, scholars still suggest that the categorizing of all infrastructure as “critical” puts the attacker directly on notice of the nation’s intent to defend itself, resulting in a deterrent effect against potential attacker.[122]  Yet, categorizing all cyber intrusions into targeted critical infrastructure as cyberattacks would suggest that a nation would effectively be “at war” with any nation that conducts such intrusions, regardless of their tangible consequences.[123] Moreover, if a cyber intrusion is carried out against “non-critical” infrastructure, but the consequences are devastating, this approach would seem to fail. Because of these limitations, the “target-based” approach is inadequate to deal with the unique challenges of cyberwarfare.

The third approach, and the most popular, is the “effects-based approach.”[124] This framework structures its inquiry around “repercussions and results.”[125] A cyberattack that produces the equivalent result of a physical, kinetic attack has a higher probability of qualifying as an “armed attack,” while cyberattacks that result in political or economic coercion, though damaging, are less likely to qualify.[126]

Critics, however, have attacked effects-based proposals, arguing that they “can be too easily manipulated to create results supporting the geo-strategic goals of the nation conducting the inquiry.”[127] Moreover, because the indirect harms of cyber operations may not manifest immediately, this framework may have “limited utility for a state’s leaders under pressure to determine the appropriate response to such an attack.”[128]

Attacks by quantum computers, particularly in a world in which only a handful of states have access to them, present unique challenges for defining a cyberattack. Indeed, even if the international community were to settle on a definition for cyberattacks in general, it may not be adequate to address the profound power disparity presented by the control of quantum computing by a few states or sub-national actors.

Rather, I recommend the fusion of the “instruments-based” with the “effects-based approach” when analyzing the use of quantum computers to deliver a cyberattack. Under this test, a state would first need to determine if the attack employed the rapid, parallel factoring of complex encryption schemes that is only possible with quantum computers. If the victim state determined that the perpetrator used a quantum computer, it would be on notice that a repeat attack against a full array of indefensible network targets is possible.

Second, the victim state would then need to consider the “effects” of the quantum-computing attack, factoring in such indirect effects[129] as prospective economic and political aftermath. Perhaps what is most difficult about applying the effects-based approach with quantum computing is the extent to which the indirect effects will be indeterminate or simply too far-reaching to quantify clearly. A quantum computing attack would indicate that the attacker had the capability to pierce all encryption schemes, and the indirect effects of the attack could therefore include the compromise of encrypted internet information beyond the scope of the initial attack. In other words, having knowledge of the instruments used to propagate the cyberattack would directly inform the analysis of the secondary effects of the cyberattack. This, of course, presupposes that the victim state does not have the technological means to defend against attacks based on quantum computer factoring. Nevertheless, a viable means of quantum defense remains incomplete, and the proposed approach not only factors in this absence but also affords those states lacking the means to achieve a technology-based solution the legal capacity to consider retaliation with more traditional force where appropriate.

In the same way that states had to re-conceptualize the use of force after the advent of nuclear weapons, quantum computing requires us to reconsider how we approach cyberattacks.  Even if the effects-based approach is the most plausible standard for cyberattacks in general, it matters if an attack is made with a quantum computer. Until the international community’s cyber systems have evolved in such a manner so as to reduce the threat of quantum computing attacks to that of conventional cyberattacks, this proposed approach would provide nations with a viable and efficient means of responding with appropriate force to a quantum computing attacks as they arise.

B.    Towards A Convention Against the Use of Weaponized Quantum Computers

Once the international community has settled on how to analyze whether an operation using a quantum computer constitutes the use of force, it must implement a legal regime to regulate the improper use of such computers.

Professor Mary Ellen O’Connell has expressed concern over the militarization of cyber issues.[130] Rather, Professor O’Connell proposes the equivalent of an international agreement reducing stockpiles of chemical weapons to cyber operations.[131] But while broad regulation of cyber operations is an ideal approach, there is considerable difficulty in securing stringent regulatory policy in the international context.[132]

However, there have been successes. The Nuclear Non-Proliferation Treaty (“NPT”) and Chemical Weapons Convention (“CWC”) offer examples of “treaties in other ‘dual-use’ areas that are analogous to cyber space.”[133] These treaties seek to terminate the use or possession of chemical and nuclear weapons, while promoting the use of chemicals and nuclear power for non-military purposes.[134] For both the CWC and NPT, the Security Council of the United Nations may become involved if members violate these treaties.[135]

Disarmament of quantum computers (perhaps the “Weaponized Quantum Computer Convention”) modeled after the CWC and NPT would provide a framework for countermeasures, sanctions, and law enforcement for signatory states. Member-states would still be permitted to use quantum computing for non-military purposes. There would, of course, be profound enforcement challenges involved, but the success of these treaties can provide the international community a plausible way forward.

In the meantime, as Professor Chayes argues, voluntary non-binding pledges could start an international domino effect of nations issuing “confidence building measures” (“CBMs”), doing something to protect against the threat of attack by quantum computers while acknowledging state concerns about sovereignty.[136]

On the road to an international agreement or binding protocol, intermediate actions could send a message to the international community that there is a strong international consensus in favor of cyber disarmament. Without international enforcement, CBMs should not be the highest aspiration of global efforts. While interim diplomatic measures, such as voluntary pledges, may be a useful signal that states are committed to developing a robust legal framework against cyberattack, the world must recognize that quantum computers do not operate on clunky legislative time. While the world spins its legal and decision-making wheels for years to come, quantum computers only need a matter of moments to threaten encrypted information.

Conclusion

Quantum-computing attacks have substantial differences both from physical attacks and traditional cyberattacks. A nation can easily comprehend the physical effects of destructive nuclear bombs, but may not be adequately technologically advanced to understand the ripple effects of the use of quantum computing to break major encryption schemes across classified and otherwise protected computers and networks in the public and private sector.

Scholars are in near unanimity that current piece-meal efforts between nations and international organizations are unsustainable. As the dawn of quantum computing technology approaches, and as developed nations continue to express a clear reluctance to forfeiting highly-effective technologies, the world could enter into a “Quantum Cold War.” And, just as the threat of “mutually assured destruction” by nuclear warfare caused the United States and Soviet Union to exhibit restraint in the use of their own unclear stockpiles, the international community could head into a similar stalemate of a quantum “hold-out.” This possibility, of course, remains to be seen; but this possibility does not preclude the need for sound international policy.

Featured image by Varsha Y S via Wikimedia Commons.

[*] J.D. Candidate, Belmont University College of Law, Class of 2018. First and foremost, it is with genuine appreciation that I thank Mr. James Toomey, Executive Editor for Online Content, and the Harvard National Security Journal Online, for their tireless work in ensuring this piece is in top shape for publication. Next, I would like to express my sincerest of gratitude to Professor Jeffrey Usman not only for his patience through the drafting process, but also his dedication to each and every student who seeks his guidance and direction. Moreover, my utmost thanks to Dr. Steve Robinson, Associate Professor of Physics at Belmont University, who provided a scientist’s eye in examining the quantum computer content, and to Mr. Nicholas Pleasant, who catapulted my legal research forward on international law and governance over cyberspace. Moreover, I would like to recognize my attorney-mentor, Mr. Scott Larmer, who steadfastly encouraged me to write on a legal topic that is technologically-forward and complimentary to my background. Lastly, I would like to thank Ms. Lauren Kisner and Mr. Robert Ketter, for providing meaningful and response feedback, when I needed it the most.

[2] See Idalia Friedson, The Quantum Computer Revolution Is Closer Than You May Think, National Review (May 2, 2017), http://www.nationalreview.com/article/447250/quantum-computing-race-america-can-win-must-keep-pushing-hard.

[3] See Amelia Heathman, Quantum Computing: the Most Exciting Thing in Computing Is Also the Most Terrifying, Verdict (July 21, 2017), https://www.verdict.co.uk/quantum-computing-the-most-exciting-thing-in-computing-is-also-the-most-terrifying/.

[4] Id.

[5] Tom Foremski, IBM Warns of Instant Breaking of Encryption by Quantum Computers: “Move Your Data Today,” ZDNet (May 18, 2018), https://www.zdnet.com/article/ibm-warns-of-instant-breaking-of-encryption-by-quantum-computers-move-your-data-today/.

[6] See id.

[7] See The race is on to dominate quantum computing, The Economist (Aug. 18, 2018), https://www.economist.com/business/2018/08/18/the-race-is-on-to-dominate-quantum-computing (“IBM led the way in 2016 with a 5-qubit computer and then a 20-qubit one in 2017 . . . Its latest ‘quantum processing unit’ (QPU), which was announced last November, has 50, one qubit more than Intel’s. Both were overtaken in March by Google’s Bristlecone, with 72 qubits.”); see also Arthur Herman, At Last America Is Moving on Quantum, Forbes (Aug. 20, 2018), https://www.forbes.com/sites/arthurherman/2018/08/20/at-last-america-is-moving-on-quantum/#2e8607005327 (“But a House bill and a White House proposal are signs that America’s political establishment is starting to get it: This is one high-tech race America can’t afford to lose.”).

[8] See Sabrina Dougall, IBM, Google and Intel jostle for quantum computing supremacy, Computer Bus. Rev. (Jan. 11, 2018), https://www.cbronline.com/news/ibm-google-intel-quantum-computing.

[9] See John Russell, House Passes $1.275B National Quantum Initiative, HPC Wire  https://www.hpcwire.com/2018/09/17/house-passes-1-275b-national-quantum-initiative/ (last visited Oct. 20, 2018).

[10] See Summary: H.R. 6227 – 115th Congress (2017-2018), Congress.gov, https://www.congress.gov/bill/115th-congress/house-bill/6227 (last visited Oct. 20, 2018).

[11] The bill provides the following allotment to the various organizations, who are to be members of the National Quantum Coordination Office: (1) $400 million for the National Institute of Standards and Technology (“NIST”) Activities and Workshops; (2) $250 million for the National Science Foundation (NSF) Multidisciplinary Centers for Quantum Research and Education; (3) $625 million for the Department of Energy (“DoE”) Research and National Quantum Information Science Research Centers See H.R. 6227, 115th Cong. (2018).

[12] See Aaron Stanley, Is the U.S. Getting Its Act Together on Quantum Computing?, Forbes (June 26, 2018), https://www.forbes.com/sites/astanley/2018/06/26/is-the-u-s-getting-its-act-together-on-quantum-computing/#b1cf1c6704f5.

[13] See Is China winning race with the US to develop quantum computers?, South China Morning Post (Apr. 9, 2018), https://www.scmp.com/news/china/economy/article/2140860/china-winning-race-us-develop-quantum-computers.

[14] Antonia Chayes, Rethinking Warfare: The Ambiguity of Cyber Attacks, 6 Harv. Nat’l Sec. J. 474, 478 (2015).

[15] Daniel J. Sherwinter, Surveillance’s Slippery Slope: Using Encryption to Recapture Privacy Rights, 5 J. on Telecomm. & High Tech. L. 501, 512 (2007).

[16] See id. (“[Encryption] is of critical importance as governments, companies, individuals, and others are increasingly in possession of data requiring protection. Moreover, no one wants their trade secrets, employee information, customer information, or other private data compromised.”).

[17] Id. (quoting Lawrence Lessig, Code: And Other Laws of Cyberspace 35 (1999)).

[18] See Gary C. Kessler, Basic Concepts of Cryptography, An Overview of Cryptography (last visited Aug. 11, 2018), https://www.garykessler.net/library/crypto.html#purpose.

[19] See id.

[20] See Oracle, Key Length and Encryption Strength, Sun Directory Server Enterprise Edition 7.0 Reference (2010), https://docs.oracle.com/cd/E19424-01/820-4811/aakfw/index.html.

[21] See Steven Alexander, How big is 2**128, The Bug Charmer (June 27, 2012), http://bugcharmer.blogspot.com/2012/06/how-big-is-2128.html.

[22] See GlobalSign, What is Public-key Cryptography (last visited Sept. 27, 2018), https://www.globalsign.com/en/ssl-information-center/what-is-public-key-cryptography/.

[23] See id.

[24] See id. (“It is computationally infeasible to compute the private key based on the public key.”).

[25] See Larry Hardesty, Beefing up public-key encryption, MIT News (Feb. 15, 2013), http://news.mit.edu/2013/beefing-up-public-key-encryption-0215 (“Most financial transactions on the Internet are safeguarded by a cryptographic technique called public-key encryption.”).

[26] See Jennifer Chu, The beginning of the end for encryption schemes? MIT News (Mar. 3, 2016), http://news.mit.edu/2016/quantum-computer-end-encryption-schemes-0303 (“[F]actoring large numbers is . . . devilishly hard.”).

[27] See id.

[28] Id.

[29] See generally Amit Hagar, Quantum Computing, Stanford Encyclopedia of Philosophy, http://plato.stanford.edu/entries/qt-quantcomp/ (last updated June 16, 2015).

[30] See Cason Schmit, Intellectual Property’s Upcoming Quantum Leap: Projecting the Future Challenges Facing Quantum Information Technology Through a Historical Perspective of the Computer Revolution, 95 J. Pat. & Trademark Off. Soc’y 271, 274 (2013).

[31] See generally Binary Code: Computer Science, Encyclopedia Britannica, https://www.britannica.com/topic/binary-code (last visited Jan. 28, 2018).

[32] Id.

[33] See Schmit, supra note 29, at 275.

[34] The superposition principle states that any classical wave or field can be in a state of superposition, where the total superposition can be reduced into more fundamental components (e.g., destructive interference). The superposition principle is especially curious in quantum mechanics because, unlike with classical waves, when measuring a quantum system’s state in superposition, the result “collapses” into a more fundamental state (i.e. “spin up” or “spin down”). See Hagar, supra note 28.

[35] See Jason Bloomberg, This is Why Quantum Computing Is More Dangerous Than You Realize, Forbes (Aug. 11, 2017), https://www.forbes.com/sites/jasonbloomberg/2017/08/11/this-is-why-quantum-computing-is-more-dangerous-than-you-realize/#203d4bd53bab.

[36] See id.

[37] Id.

[38] See id.

[39] See, e.g., Joshua Holden, How Classical Cryptography Will Survive Quantum Computing, Nautilus (Dec. 27, 2017), http://nautil.us/blog/-how-classical-cryptography-will-survive-quantum-computers (“[C]ryptographers aren’t just giving up. . . . Research is . . . being done into . . . systems running on ordinary computers but based on problems that are not in the hidden subgroup category. These problems involving solving systems of multivariable polynomials, finding the shortest distance from a point on an n-dimensional skewed grid of other points, and finding the closest bit of string to a set of other bit strings.”).

[40] Id.

[41] First PQC Conference, Nat’l Inst. of Standards and Tech., https://csrc.nist.gov/events/2018/first-pqc-standardization-conference (last updated April 19, 2018).

[42] Devin Powell, What is Quantum Cryptography?, Popular Science, https://www.popsci.com/what-is-quantum-cryptography (last updated Mar. 3, 2016).

[43] Id.

[44] Id.

[45] Powell, supra note 41.

[46] Sherwinter, supra note 14, at 531.

[47] See William Jackson, How Quantum Key Distribution Works, GCN (Oct. 29, 2013), https://gcn.com/articles/2013/10/29/how-quantum-key-distribution-works.aspx.

[48] Id.

[49] This phenomenon is more generally known as the “no-cloning theorem.” Id.

[50] Sherwinter, supra note 14, at 532.

[51] Bloomberg, supra note 34.

[52] Id.

[53] Scott J. Shackelford, From Nuclear War to Net War: Analogizing Cyber Attacks in International Law, 27 Berkeley J. Int’l L. 192, 193 (2009).

[54] Id.

[55] Id.

[56] Id.

[57] Distributed Denial of Service: Anatomy and Impact of DDoS Attacks, Kaspersky Lab, https://usa.kaspersky.com/resource-center/preemptive-safety/how-does-ddos-attack-work (last visited Oct. 20, 2018).

[58] Id.

[59] Id.

[60] Id.

[61] Will Hurd, Quantum Computing Is the Next Big Security Risk, Wired (Dec. 7, 2017),  https://www.wired.com/story/quantum-computing-is-the-next-big-security-risk/.

[62] Id.

[63] Id.

[64] Eric Boylan, Applying the Law of Proportionality to Cyber Conflict: Suggestions for Practitioners, 50 Vand. J. Transnat’l L. 217, 235 (2017).

[65] Chayes, supra note 13, at 510.

[66] Id.

[67] Tallinn Manual 1.0 on International Law Applicable to Cyber Warfare (Michael N. Schmitt, ed., 2013).

[68] Prior to its armed attacks, Russia implemented several cyberattacks to undermine Georgia’s limited internet infrastructure. Cyberattacks directed at Georgia included Distributed Denial of Service (DDoS) attacks, the redirection of Georgian internet traffic through Russian telecommunication firms, and malicious programs known as “botnets.” See John Markoff, Before the Gunfire, Cyberattacks, N.Y. Times  (Aug. 12, 2008), http://www.nytimes.com/2008/08/13/technology/13cyber.html.

[69] In an effort to drastically halt Iran’s ability to develop a nuclear weapon, the United State and Israel jointly developed a computer virus, known as “Flame,” in order to gather intelligence in preparation for cyber-sabotage. This cyber operation, conducted jointly by the CIA and Israeli military, introduced destructive software such as the “Stuxnet virus,” which caused major mechanical malfunctions in Iran’s nuclear enrichment equipment. This is believed to be one of, if not the first, cyber-sabotage campaigns by the United States. See Ellen Nakashima, Greg Miller & Julie Tate, U.S., Israel developed Flame computer virus to slow Iranian nuclear efforts, officials say, Wash. Post (June 19, 2012), https://www.washingtonpost.com/world/national-security/us-israel-developed-computer-virus-to-slow-iranian-nuclear-efforts-officials-say/2012/06/19/gJQA6xBPoV_story.html?utm_term=.3e457e43571d.

[70] Tallinn Manual 2.0 on the International Law Applicable to Cyber Warfare (Michael N. Schmitt, ed., 2017) [hereinafter Tallinn Manual 2.0].

[71] Id. at 2–3.

[72] Center for Strategic and International Studies, The Economic Impact of Cybercrime and Cyber Espionage, 3 (July 2013), https://csis-prod.s3.amazonaws.com/s3fs-public/legacy_files/files/publication/60396rpt_cybercrime-cost_0713_ph4_0.pdf.

[73] In comparison, CSIS estimates the costs of Maritime Piracy at 0.02% globally; Transnational Crime at 1.2% globally; Counterfeiting/Piracy at 0.89% globally; and Narcotics at 0.9% globally. It additionally estimates Pilferage at 1.05% in the United States and Automobile Accidents at 1.0% in the United States. Center for Strategic and International Studies, Net Losses: Estimating the Global Cost of Cybercrime, 11 (June 2014), https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/McAfee%20and%20CSIS%20-%20Econ%20Cybercrime.pdf.

[74] See Oona A. Hathaway & Rebecca Crootof, The Law of Cyberattack, 100 Cal. L. Rev. 817, 882 n. 315 (2012) (“The White House predicts that a shared understanding about norms of acceptable cyber-behavior will bring ‘predictability to state conduct, helping prevent misunderstandings that could lead to conflict.’”) (quoting Office of the President, International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World 9 (2011)).

[75] Memorandum from Gen. James E. Cartwright on Joint Terminology for Cyberspace Operations 5 (Nov. 2011), http://www.nsci-va.org/CyberReferenceLib/2010-11-joint%20Terminology%20for%20Cyberspace%20Operations.pdf.

[76] Hathaway & Crootof, supra note 73, at 826.

[77] See Tallinn Manual 2.0, supra note 69, at 416.

[78] Hathaway & Crootof, supra note 73, at 823.

[79] Id.

[80] See Chayes, supra note 13, at 482.

[81] See id. at 487.

[82] In fact, as Noah Simmons writes, cyberattacks essentially operate “out of the shadows,” with their “paths often being obscured through re-routed and masked IP addresses.” Noah Simmons, A Brave New World: Applying International Law of War to Cyberattacks, 4 J.L. & Cyber Warfare 42, 101 (2014).

[83] See id. at 100.

[84] See id. at 101.

[85] See id.

[86] Mathew J. Schwartz, Post-Quantum Crypto: Don’t Do Anything, Bank Info Security (Feb. 22, 2017), http://www.bankinfosecurity.com/quantum-crypto-dont-do-anything-a-9737.

[87] U.S. Representative Michael McCaul, Chairman, House Homeland Security Comm., Keynote Address at the RSA Conference (Feb. 14, 2017).

[88] See, e.g., Chayes, supra note 13, at 510 (“Efforts to institutionalize international cooperation are rudimentary.”).

[89] See Tallinn Manual 2.0, supra note 70, at 12.

[90] Id. at 11.

[91] Id. at 12.

[92] Id.

[93] See James M. Acton, Cyber Weapons and Precision-Guided Munitions, Carnegie Endowment for Int’l Peace (Oct. 16, 2017), https://carnegieendowment.org/2017/10/16/cyber-weapons-and-precision-guided-munitions-pub-73397 (“[T]he use of cyberspace for military purposes can confer potential tactical advantages to an attacker, including by further improving force exchange ratios, while placing few, if any, additional demands on the logistical network needed to supply frontline forces.”).

[94] See Major Arie J. Schaap, Cyber Warfare Operations: Development and Use Under International Law, 64 A. F. L. Rev. 121, 158 (2009) (“Some obvious benefits include less physical destruction, less cost than other types of traditional warfare, and the ability to still achieve the same results with less risk to military personnel.”).

[95] Id.

[96] Id.

[97] See North Atlantic Treaty Organization, Wales Summit Declaration, (Sept. 5, 2014), https://www.nato.int/cps/ic/natohq/official_texts_112964.htm (“Cyber attacks can reach a threshold that threatens national and Euro-Atlantic prosperity, security, and stability. Their impact could be as harmful to modern societies as a conventional attack.”).

[98] See Chayes, supra note 13, at 510.

[99] Tallinn Manual 2.0, supra note 69, at 1.

[100] See Chayes, supra note 13, at 512 (citing Press Release, European Commission, Great news for cyber security in the EU: the European Parliament successfully votes through the Network & Information Security (NIS) directive,  (March 13, 2014), https://ec.europa.eu/digital-single-market/en/news/great-news-cyber-security-eu-european-parliament-successfully-votes-through-network-information).

[101] See Chayes, supra note 13, at 512.

[102] See Press Release, European Union, Quantum Europe 2017: Towards the Quantum Technology Flagship,  (Feb. 2, 2017), https://www.eu2017.mt/en/Press-Releases/Documents/pr170217_EN.pdf.

[103] Tallinn Manual 2.0, supra note 69, at 75.

[104] See Treaty No. 185: Convention of Cybercrime, Council of Europe, https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=0900001680081561 (last visited Oct. 20, 2018); see also Arab Convention on Combating Information Technology Offences, League of Arab States, https://dig.watch/actors/arab-league (last visited Oct. 20, 2018).

[105] Id.

[106] Details of Treaty No. 185: Convention on Cybercrime, Council of Europe, https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185 (last visited Jan. 28, 2018) (“[The treaty’s] main objective, set out in the preamble, is to pursue a common criminal policy aimed at the protection of society against cybercrime . . . .”).

[107] See id.

[108] Id. (stating that the treaty will be enforced “especially by adopting appropriate [domestic] legislation and fostering international cooperation.”).

[109] Chayes, supra note 13, at 513.

[110] Tallinn Manual 2.0, supra note 69, at 360.

[111] See Chayes supra note 13, at 513.

[112] See ASEAN Convention on Counter Terrorism 7 (2012), https://asean.org/wp-content/uploads/sites/13/2012/05/ACCT.pdf.

[113] See Reese Nguyen, Navigating Jus Ad Bellum in the Age of Cyber Warfare, 101 Cal. L. Rev. 1079, 1098 (2013) (“Cyber attacks challenge traditional notions of warfare because, compared to traditional weapons, worms, viruses, and botnets may have a scope of impact that is potentially far broader; their effects may be highly unpredictable; their payload may often be reversible; and they may be difficult to attribute to a particular source.”).

[114] See id.

[115] Simmons, supra note 81, at 52 n. 26 (“The first Internet worm, the Morris worm, was intended to simply map out the scope of the Internet. Due to a coding error, it replicated much faster than anticipated and resulted in a DoS attack on the Internet . . . .”).

[116] See id. at 53.

[117] See id. at 54.

[118] See id. at 54 (“This approach would differentiate attacks carried out by viruses, worms, network intrusions, Distributed Denial of Service (DDOS), etc.”).

[119] Cf. id at 55 (“[T]echnology in the field of cyber-attacks is constantly changing, which poses a significant impediment to this type of framework. Were countries to pass a treaty condemning certain types of cyber weapons . . .  new technology and forms of cyber warfare could very well exist before ratification or execution.”).

[120] See Nguyen, supra note 112, at 1119 (“As the name suggests, the target-based view frames its legality analysis not around the instrumentality used to execute the attack, but around the status of the attack’s target.”).

[121] Id. (“Countries may define their own critical infrastructure in different ways.”).

[122] See Eric Talbot Jensen, Computer Attacks on Critical National Infrastructure: A Use of Force Invoking the Right of Self-Defense, 38 Stan. J. Int’l L. 207, 228 (2002).

[123] Id. at 1120 (“[B]y categorizing all cyber intrusions into critical infrastructure as acts of war, the target-based approach puts the United States at war with China, Russia, and a number of other countries that have already penetrated U.S. infrastructure systems for unknown purposes.”).

[124] Id. at 1122 (“[The effects-based approach] is the most widely accepted view.”).

[125] Id.

[126] Id.

[127] Id. at 1122.

[128] Id.

[129] The most prominent effects-based approach was offered by scholar Michael Schmitt, who recommended that a nation utilize the following six-criteria in analysis whether a cyberattack rises to the level of a use of force: (1) severity, (2) immediacy, (3) directness, (4) invasiveness, (5) measurability, and (6) presumptive legitimacy. See Michael N. Schmitt, Cyber Operations and the Jus Ad Bellum Revisited, 56 Vill. L. Rev. 569, 576 (2011).

[130] See Mary Ellen O’Connell, Cyber Security without Cyber War, 17 J. of Conflict & Security L. 187, 190–191 (2012) (“[I]nternational legal rules on the use of force, especially the rules on self-defense, raise important barriers to military solutions to cyber space problems. Indeed, the law of self-defense should have little bearing in discussions of cyber security.”).

[131] Id. at 190 (“Another apt analogy [to cybersecurity] is to the chemical sector. Chemicals are an indispensable part of everyday life in the 21st century, but chemicals can also be made into devastating weapons of mass destruction. To prevent this, the Chemical Weapons Convention prohibits the use and possession of chemical weapons.”).

[132] Chayes, supra note 13, at 497 (“Professor O’Connell’s suggested analogy to piracy [and chemicals] does not take account of the difficulties securing deep regulatory regimes.”).

[133] Mary Ellen O’Connell, Louise Arimatsu & Elizabeth Wilmshurst, International Law Meeting Summary: Cyber Security and International Law 9 (2012), https://www.chathamhouse.org/sites/files/chathamhouse/public/Research/International%20Law/290512summary.pdf.

[134] Id.

[135] Id.

[136] See, e.g., Chayes, supra note 13, at 518.

Dominic Rota

J.D. Candidate, Belmont University College of Law, Class of 2018.