Entering the Third Decade of Cyber Threats: Toward Greater Clarity in Cyberspace

ByDan Efrony. Posted Originally at Lawfare.

Senior Airman Alexander Schrichte, 460th Space Communications Squadron client systems technician, performs routine technical checks on network servers, Nov. 9, 2018 at Buckley Air Force Base, Colo. (U.S. Air Force )

Over the course of just a few decades, the world has entered into a digital age in which powerful evolving cyber capabilities provide access to everyone connected online from any place on the planet. Those capabilities could be harnessed for the benefit of humanity; they might also be abused, leading to enormous harms and posing serious risks to the safety and stability of the entire world.

A strategy of international cooperation is crucial to mitigate the threats of abuse of cyberspace, primarily by clarifying the “red lines” in the field of cybersecurity and determining how to verify and enforce states’ compliance with their legal obligations in the field. The five permanent members of the U.N. Security Council (the P5) should have a decisive role in meeting this challenge. Yet while the P5 have had some success when mitigating the risks posed by weapons of mass destruction, the group is unlikely to be able to duplicate this pattern of action in cyberspace considering the rising tensions among the P5 and the geopolitical divisions in cyberspace. These divisions manifested in the 2017 failure of the United Nations Group of Governmental Experts on Information Security (UN-GGE) to produce a consensus report after two decades and five sessions of governmental groups of experts. Nevertheless, given the significance and seriousness of the risks that cyber operations pose to the safety and stability of states, giving up on collective action altogether is also unacceptable. 

Currently, states have used three main modes of action to meet the challenge, which I will briefly review below. Recent developments have highlighted the mode embraced and implemented by the U.S. and its close allies: a deterrence-based approach combined with a high degree of ambiguity regarding questions of law and policy in cyberspace. However, this ambiguity undermines attempts to develop clear rules for the conduct of states in cyberspace and thereby adversely affects both the effectiveness of deterrence and the legitimacy of cyber operations conducted to compel compliance with general nonbinding norms and principles. This approach should be reconsidered in favor of a clearer and more balanced strategy that can gain at least the international acceptance of like-minded states.

Current Modes of Action

Since the failure of the UN-GGE in June 2017, key states active in cyberspace have mainly taken three separate modes of action to mitigate the threats posed in or through cyberspace. First, states have resumed international cooperation through two new parallel groups of governmental experts, instead of the one that collapsed. Both new groups act in accordance with two bidirectional resolutions, which the U.N. General Assembly adopted in December 2018. One resolution, led by the United States, established the GGE (Group of Governmental Experts) and the other, led by Russia and China, established the OEWG (Open-Ended Working Group). The two groups’ mandates have significant overlap, as both are authorized to discuss, inter alia, the development of rules and norms in the field of cybersecurity and how international law applies to the use of information and communications technologies. Importantly, the new (i.e., sixth) UN-GGE comprises 25 experts representing 25 states, including the P5, whereas the new OEWG is open to all U.N. member states. Since both groups act on the basis of consensus, we will have to wait and see whether either or both will succeed in overcoming the difficulties that caused the failure of the UN-GGE’s fifth round.

Second, states have engaged in voluntary international initiatives such as the Paris Call, the Cybersecurity Tech Accord, the Charter of Trust and the Global Commission on the Stability of Cyberspace (GCSC). These efforts were initiated by major tech corporations in cooperation with states, think tanks and civil society organizations. These private actors have stepped into the standard-setting arena largely because of a sense of societal responsibility, with a view to fill the void created by the influential states, whose strategy has been to adopt a policy of silence or ambiguity.

The common goal of all those initiatives is to articulate nonbinding norms for cyberspace and to ensure cybersecurity through international cooperation between all relevant stakeholders, inter alia, states, the private tech sector and civil society organizations. They seek to achieve this while preserving neutrality and credibility to reinforce trust and confidence in their processes. In principle, such initiatives should have included most concerned states, including the U.S., the U.K., Russia and China, but these states have refrained from officially becoming involved in such initiatives, ostensibly because they have embraced a policy of ambiguity regarding norms of conduct in cyberspace. This could be considered the Achilles heel of these initiatives—but it does not have to be so, as long as expectations remain modest and reasonable. By acknowledging that states and only states are entitled to determine what constitutes binding law in cyberspace (although adoption of such laws anytime soon seems unlikely), these initiatives have only limited and indirect impact on state practice in cyberspace. Still, they may softly and gradually influence such practice.

Third, states have embraced a deterrence-based strategy. The most powerful states in cyberspace—namely, Russia and China on one side, and the U.S. and the U.K. on the other—have funneled their efforts and resources into a vigorous cyber arms race, motivated by their own strategic considerations. The greater technological advantage gained by one side, the more intensified the mistrust and the fear in the mindset of the other. That may trigger retaliatory responses, not necessarily confined to cyberspace, to reestablish the balance of powers or to ensure mutual deterrence. Obviously, such a response is risky—but if managed cautiously, U.S. deterrence may be more successful. Still, it will probably not be enough to meet the long-term challenge of ensuring security and stability in cyberspace.

The U.S. has implemented a three-layer deterrence doctrine as emphasized in the National Cyber Strategy and the Defense Department’s 2018 Cyber Strategy, as well as by the U.K. minister of foreign affairs, who depicted it as a new deterrence doctrine endorsed by the U.K.

The first layer is identification and attribution, when the evidence is sufficient and public attribution may not jeopardize strategic interests. Second is naming, shaming and indicting, when the amount of evidence gathered allows it. Finally, there is lawful retaliation, mostly by retorsions such as diplomatic or economic sanctions, which are lawful acts though unfriendly within interstate relations. Although these layers of operation could be implemented consecutively or separately by any concerned state considering its self-interests in any given scenario, they were tailor-made for the U.S. and its national security interests. Unsurprisingly, the U.S. is the only state that has implemented a doctrine involving all three layers.

A short review of recent developments indicates a change in the U.S. policy in cyberspace toward more a proactive and deterrent approach to ensure compliance of states with nonbinding norms that reflect responsible state behavior.

Setting the Norms

The new National Cyber Strategy encourages “universal adherence to cyber norms: [i]nternational law and voluntary non-binding norms of responsible state behavior in cyberspace provide stabilizing, security-enhancing standards that define acceptable behavior to all states and promote greater predictability and stability in cyberspace ….” Eventually, it refers to the 2017 G7- Declaration of Responsible State Behavior, including the norms, rules and principles of responsible behavior of states consensually endorsed in the UN.-GGE third (2013) and fourth (2015) rounds, and the U.N. Charter.

Collective Attribution

This involves formalizing cooperation with like-minded states to jointly and publicly attribute responsibility for cyber attacks. Attributing the May 2017 WannaCry cyber operation and the June 2017 NotPetya operation at the outset of 2018 (see herehere and here) was a precursor to such enhanced cooperation. In October and December 2018, the U.S and its close allies, mainly its Five Eyes partners (Australia, Canada, New Zealand, and the U.K.), jointly attributed responsibility to Russia and China, respectively, for a series of cyber operations conducted by the GRU (including disruptive and destructive operations) and the group known as APT10 (including economic espionage) against numerous states (see herehereherehere and here).

Coordinated Retaliation and Imposing Consequences

The updated National Cyber Strategy calls for the deterrence of irresponsible state behavior by imposing consequences for breaching nonbinding norms, such as those endorsed by the UN-GGE and mentioned above. This combines with the launching of an International Cyber Deterrence Initiative by a coalition of like-minded states to coordinate and support each partner’s response to significant malicious cyber incidents. The U.S. implemented this strategy by indicting Russian and Chinese governmental operatives for the GRU and APT10 operations (see here and here), in addition to personal sanctions imposed against the Russian and Chinese defendants. However, the U.S. allies had little ability to impose additional costs, especially because the targeted states are superpower states, such as China and Russia. Nevertheless, the U.K., the U.S. and the Netherlands coordinated unprecedented exposure of intelligence about GRU’s operatives, methods and cyber operations to harm its operational capabilities (here and here). The U.K. and the U.S. coordinated exposure of intelligence also against China's APT10 (here and here).

Furthermore, at the national level, Congress has adopted active defense principles toward specific states (Russia, China, North Korea and Iran). This involves removing bureaucratic restrictions and authorizing offensive-defensive actions “to disrupt, defeat, and deter” should any of the four countries conduct malicious activity in cyberspace against the U.S. and the American people, including attempting to influence American elections and democratic political processes. In the same vein, the Defense Department’s 2018 Cyber Strategy includes “defense forward” as a deterrent measure, defining it as “disrupt[ing] or halt[ing] malicious cyber activity at its source, including activity that falls below the level of armed conflict.” In other words, the policy tackles emerging threats immediately at the source and may include cyber activities below the threshold of “use of force” within the adversary’s network or territory, by virtue of the relevant authorities delegated down to the appropriate level in U.S. Cyber Command.

In the time since the power to approve specific offensive cyber operations has been delegated down, it has been used much more frequently and effectively, including in a preventive manner during the U.S. midterm elections in November 2018 (see also here). In a recent statement, U.S. National Security Adviser John Bolton emphasized the United States’s improved “capabilities across the board to engage in more offensive cyber activities” and told Russia and any other state engaged in cyber operations against the U.S. that they “will pay the price … we will impose costs on you until you get the point.”

It is worth noting that the active defense approach has been endorsed publicly by senior officials such as the British minister of foreign affairs and even the French minister of defense, who suggested France’s approval of the approach while presenting the new French national cyber strategy. Still, from the perspective of international law, the legality of this proactive approach—which may include “hack-back” actions and other intrusion operations—is questionable. It depends on the way legal terms such as “sovereignty” and “countermeasures” would be interpreted and consensually applied in cyberspace.

Ambiguity and Deterrence

In a recent article for the American Journal of International law, Yuval Shany and I present an investigation of 11 cyber operations that occurred from 2013 to summer 2018, including, inter alia, the hack of the Democratic National Committee, the hack of Sony, the Office of Personnel Management hack, and the WannaCry and NotPetya cyber operations. All these operations were deemed to be executed by states or state-sponsored groups or individuals. Our findings indicated that victim states and attackers as well have endorsed a policy of ambiguity and silence. The goal of such approach is to maintain as much leeway as possible under the legal, technological and political uncertainties of cyberspace—thus, we wrote, “[E]ven when [states] acknowledge that they were victims of cyber operations directed against them, the rhetoric they use to describe the operation and their planned reaction thereto tends not to include legal arguments or references to specific norms of international law.”

When operating under conditions of significant normative uncertainty, Shany and I argue, states employ three interrelated strategies: “optionality,” regarding international law as an optional legal framework, which states may or may not invoke and apply; “parallel tracks,” the development through state practice of formal rules backed by opinio juris and informal set of rules shaped by practice without the sense of a legal obligation, both of which can presumably limit state power; and “gradations in law enforcement,” distinguishing between violations that are likely to lead to some form of response and those unlikely to do so.

It is worth noting that states did not reference any violation of an international obligation regarding the cyber operations that were collectively attributed (WannaCry, NotPetya, and the APT10 and GRU operations). This is consistent with the strategy of optionality: Treating the applicable international law framework as optional allows states to choose whether or not to invoke the legal discourse of international rights and obligations regarding their mutual interactions in cyberspace.

Undertaking retorsions and criminal indictments coincides with the strategies of “parallel tracks” and “gradations in law enforcement.” This is seemingly a reasonable compromise between the deterrence and ambiguity considerations. Hence, despite strong rhetoric about imposing consequences as a deterring retaliation, the U.S. and its close allies have so far applied only retorsions, which are lawful acts, though unfriendly—in lieu of countermeasures, unlawful acts in response to the violation of an international obligation. Countermeasures carry the risk of qualifying as a violation of international law by itself, if undertaken mistakenly.

The U.S. determination to implement a deterrence-based approach in cyberspace in tandem with its policy of ambiguity and silence may weaken deterrence and harm U.S. credibility. It also blurs the message of adherence to the rule of law in cyberspace, which is particularly concerning at a time when the question of how international law should be applied is still open ended and the law unclear and underdeveloped.

Attributing responsibility for violating nonbinding norms and undertaking punitive or retributive measures might be legally problematic, to say the least. Moreover, any attribution claim should refer to a violation of an international obligation, which should be clear and unequivocal. Enforcing nonbinding norms or principles with no clear contents is unacceptable and contradicts basic requirements of the principle of legality, which demands strict articulation of any legal prohibition. A state that deliberately ignores nonbinding norms is not in violation of its international obligations and therefore cannot be legally subjected to countermeasures, nor can it face consequences according to the deterrence-based approach.

Obviously, the policy of ambiguity is legitimate and premised on a common objective of maintaining operational latitude that remains as wide as possible, both defensively and offensively. However, this policy may result in a vicious cycle. While it serves states’ interest in maintaining latitude, it creates a significant obstacle in establishing accountability, which requires a clear binding legal framework and an efficient enforcement mechanism—both of which have not yet been formulated and cannot be shaped under conditions of uncertainty.

Ultimately, the tit-for-tat imposition of consequences provides the U.S. and its close allies with a prominent deterrence tool to deploy against their adversaries. That might be useful against a nonstate actor or less powerful state. But when the adversary is, for instance, Russia or China, the risk of escalation is much more serious.

Bearing in mind the uncertainties regarding the rising tensions among powerful states in cyberspace, along with evolving technological capabilities, ambiguity and deterrence are not a zero-sum game. They can and should be rebalanced.

Increasing Legitimacy

The recent collective attribution claims rely mainly on close cooperation among intelligence communities, primarily the Five Eyes and several additional Western allies. The content and amount of evidence remain classified, and the standard of proof is enunciated by short sentences or phrases such as “highly likely,” “high confidence,” “almost certainly responsible” and “highest level of probability.” That lack of transparency reinforces the adverse effect on the process’s credibility, which, in turn, may affect the legitimacy of any act taken in retaliation.

Nevertheless, there are some options that should be considered to increase legitimacy and credibility while implementing limited transparency. A priority should be reinforcing cooperation among an increasing number of like-minded states; collective attribution should involve more than a select group of states. Even more so, substantiating attribution claims also requires permanent cooperation with private cybersecurity and tech firms such as GAFAM (Google, Apple, Facebook, Amazon and Microsoft). Establishing parallel cooperation between states on the one hand and private companies on the other while maintaining national security will be a challenge. But as insurmountable as it may appear, it will be a worthy challenge to tackle.

Gradual Clarification

Exactly a year ago, U.K. Attorney General Jeremy Wright made a significant step toward setting opinio juris regarding the application of international law to cyberspace. Most relevant were his comments on the principle of sovereignty in cyberspace: The U.K. does not recognize the existence of a cyber-specific rule on violations of territorial sovereignty. Furthermore, the speech negated the applicability of two traditional obligations: the obligation to provide advance notification prior to executing countermeasures and the obligation to disclose evidence justifying attribution. Moreover, the attorney general emphasized the importance of international law in cyberspace despite the restrictions this places on states’ freedom of action: “[B]ecause we believe that a rules-based international order makes the world a safer place … it must also follow that a rules-based international order can only prevail when the rules can be clearly understood and that where they are unclear we seek to bring clarity.”

Considering the recent developments in cyberspace, it is time for the U.S.—as a leading superpower in the international community, and primarily in cyberspace—to take the lead in clarifying its legal and political stances regarding the application of international law in cyberspace, particularly on essential issues such as sovereignty, nonintervention, due diligence, countermeasures, the evidentiary standard and even the boundaries of legitimate espionage. Although this will reduce the level of ambiguity, it should not necessarily remove it totally—a gradual reduction in the level of ambiguity might be even better.

The U.S. should also prioritize reinforcing international cooperation to ascertain that the International Cyber Deterrence Initiative (ICDI) does not just focus on deterrence through joint imposition of consequences. Instead, the initiative should attempt to establish accountability in cyberspace by relying on a defined legal framework that includes binding rules and clear attribution and enforcement mechanisms. This could be done in parallel or in combination with the other modes of action described at the outset. Determining how to do this will be the responsibility of the ICDI, or, more accurately, the International Cyber Accountability Initiative (ICAI) to decide.

Conclusion

Two decades have passed since the UN-GGE was established with the mandate to examine and recommend how to meet the challenges and close the increasing gap between international law and evolving technology in cyberspace. Time is running out. International achievements in standards setting are limited, and cyber threats are increasing exponentially. The international community, particularly democracies led by Western major powers, should enter the third decade of the digital age equipped with broadly accepted tools and strong willingness to establish accountability in cyberspace based on clear, binding rules and enforcement mechanisms.