When is a Hack an Attack? A Sovereign State's Options if Attacked in Cyberspace: A Case Study of Estonia (Computer Hacking and Security )
Air Command and Staff College
For three weeks in 2007, the Republic of Estonia suffered a crippling cyber attack that left government, political and economic facets of the country helpless. This scenario provides a great template to examine the rights of a cyber attacked state in the context of international law. Estonias options were limited for numerous reasons including difficulty of attribution, lack of international standards, and the current political environment. Ultimately, unless a cyber attack causes undisputable damage and loss of human life, and it can be traced back to a source with high certainty, it is highly unlikely that a state will conventionally respond in self-defense. Currently, there are no clear international laws that govern the rights of any sovereign state in the event of a cyber attack absent the direct loss of human life or significant physical damage. The current approach is to take the existing laws and treaties and interpret them to fit the activities in the cyber domain. However, unlike a conventional attack, there are many more factors that blur the line in cyberspace. Attribution is much more difficult because there is limited physical evidence and usually is spread across different sovereign states. Without a common (and agreed upon) definition of what constitutes a cyber attack, how can nations defend themselves without risking the ethical, legal and moral obligations that should reign over states? The fundamental dilemma a state faces is to balance its retaliatory options with the requisite legal justifications if they cannot be confident of the source for the attack.