The French Ministry of the Armies (formerly the Ministry of Defense) has recently released Droit International Appliqué aux Opérations dans le Cyberspace (International Law Applicable to Operations in Cyberspace), the most comprehensive statement on the applicability of international law (IHL) to cyber operations by any State to date. The position paper dealt definitively with many of the current unsettled issues at the forefront of governmental and scholarly discussions.
This two-part post builds on an earlier post at Just Security in which I examined the position paper’s treatment of the relationship between peacetime international law, including that set forth in the UN Charter regarding uses of force, and hostile cyber operations. The focus here, by contrast, is on France’s views as to how IHL applies in the cyber context. Key topics addressed in the paper include the applicability of IHL in cyberspace; classification and geography of cyber conflict; the meaning of the term “attack” in the cyber context; the legal nature of data during an armed conflict; and other significant IHL prohibitions, limitations, and requirements on cyber operations.
Applicability of IHL to Cyber Operations
The French position paper begins by affirming the applicability of IHL to cyber operations conducted during an armed conflict. In doing so, it joins a long lineage of comparable statements by international organizations such as NATO and the EU; the International Committee of the Red Cross (ICRC); and many States, including the United States, Netherlands, United Kingdom, and Australia. In its 2015 report, the fourth UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE), which included all members of the UN Security Council, clearly was of the same mind, for it “note[d] … where applicable, the principles of humanity, necessity, proportionality and distinction,” a reference to IHL’s core principles. The acceptability of the statement in the international community was confirmed when the UN General Assembly subsequently endorsed the GGE’s 2015 report.
Unfortunately, during the fifth GGE, a consensus report proved elusive. Among the issues that hobbled proceedings was a desire by some States to include the term “international humanitarian law” in the expected report. A number of other States, including Russia and China, objected, a legally curious stance since the two had agreed in the 2015 GGE report that the aforementioned IHL principles applied to cyber operations during an armed conflict. Moreover, both States have robust military cyber forces and are actively building their wartime cyber capabilities. There is no doubt that they are planning on conducting cyber operations during armed conflict, and, in the Russian case, have done so in the Ukraine. This begs the question of which body of law they believe will govern those operations if not IHL.
More to the point, there is not a scintilla of legal doubt that cyber operations mounted during an armed conflict that have a nexus to that conflict must comply with applicable IHL. IHL has long accommodated itself to new technologies on the battlefield and no objection to its embrace of new weapons or tactics (so-called “means or methods of warfare” respectively) has ever survived scrutiny by States. Indeed, Article 36 of Additional Protocol I (AP I) to the 1949 Geneva Conventions requires States to assess the legality of new means and methods of warfare against the obligations found in pre-existing IHL. Whether this treaty provision, at least with respect to methods of warfare, reflects customary law, and is accordingly binding on States that are not party to AP I, is an unsettled question. However, that controversy does not detract from broad acceptance of the premise that all weapons of war and the manner in which they are used are subject to the constraints of IHL. France is on impermeable ground in taking the position that its cyber operations are subject to IHL rules during an armed conflict, as are those of its adversaries.
Classification of Cyber Conflict
Armed conflicts may be either international in character or non-international. Clearly, as noted in the French position paper, if a kinetic conflict is already underway, cyber operations conducted during the conflict are reached by IHL. The more challenging question is whether cyber operations standing alone may initiate, and comprise, an armed conflict. France is of the view that “in principle” they can, a view that is in my opinion correct.
As reflected in Common Article 2 of the 1949 Geneva Conventions and Article 1(3) of AP I, international armed conflicts (IAC) occur when there are “hostilities” between States (or between a State and a non-State actor under the “overall control” of a State). There is some disagreement over the requisite intensity of hostilities that is required to initiate such a conflict, but whether the ICRC Commentary on Article 2 is correct in stating that “[it]t makes no difference how long the conflict lasts, or how much slaughter takes place,” as I believe it is, it is irrefutable that cyber operations, which can be destructive or lethal, are capable of causing the requisite consequences.
For the reasons explained below, it is less likely that cyber operations that are unaccompanied by kinetic attacks could initiate a non-international armed conflict (NIAC); hence, the French position paper’s appropriate inclusion of the “in principle” text. NIACs are armed conflicts between States and organized armed groups (OAG), or between such groups. Common Article 3 of the Geneva Conventions, which reflects customary law, and Article 1(3) of Additional Protocol II to the 1949 Geneva Conventions (AP II, for NIACs in which the OAG controls significant territory) set out the normative basis for classification of such conflicts.
As observed by the International Criminal Tribunal for the Former Yugoslavia in its Tadić Appeals Chamber decision, to constitute a NIAC the violence in question must reach a certain level of intensity and involve a group that is armed and sufficiently organized. Therein lies the classification challenge for cyber-only exchanges. First, the intensity of the exchange must be very high. For instance, it is well accepted that, as set forth in Article 1(2) of AP II, “internal disturbances and tensions, such as riots, [or] isolated and sporadic acts of violence” do not reach the NIAC threshold; this is so even though they may result in extensive destruction and multiple deaths. The requisite level of violence is often described as so serious that the government must turn to the military to deal with the situation. Military planners do not foresee cyber operations as likely to occur at the requisite level of intensity during future conflict, but the possibility cannot be ruled out.
Second, the group must be well-organized. While military-like hierarchy is not required, the group has to have some form of command structure and an ability to act collaboratively. This criterion would rule out groups that are unorganized, as in a collection of individuals who, out of shared motivation, conduct cyber operations against a State in parallel (as was the case in the 2007 Estonia cyber operations) but without coordinating their activities. A further obstacle is that organized armed groups must have a means of enforcing IHL among their members, a condition understood to derive from the requirement that OAGs be “under responsible command.” A group that is organized entirely online, perhaps without even knowing the actual identity of its members, would – at a minimum – have difficulty in doing so. France is thus right to emphasize that it is in principle possible that cyber-only exchanges would qualify as an armed conflict, and equally correct in noting that the conditions precedent to initiation and maintenance of a NIAC render cyber-only NIACs unlikely.
Geography of Cyber Conflicts
As to the geography of cyber conflicts, France adopts the traditional approach with respect to IACs. Cyber operations may be mounted from, through and into the territory of the belligerents, but operations affecting the territory of neutral states are subject to the law of neutrality. It is accordingly forbidden to mount cyber operations from cyber infrastructure on a neutral’s territory or under its exclusive control (as with military infrastructure based abroad), including when that infrastructure is used remotely by a belligerent. Neutral states have a corresponding duty to terminate such operations. These obligations are well-accepted by states and scholars.
An important operational point in the French position paper deals with cyber operations, including those qualifying as an attack, that merely pass through (as opposed to being mounted from) neutral cyber infrastructure. France takes the position that such operations are communications that may be transmitted across neutral territory in accordance with Article 8 of the 1907 Hague V Convention on neutrality in land warfare, rather than “munitions of war,” the transport of which across neutral territory is forbidden by Article 2 of that Convention. Both articles are generally deemed reflective of customary law applicable in IACs. This is, in my estimation, as well as that of the Tallinn Manual 2.0 International Group of Experts (IGE), the correct interpretation given the geographically ad hoc nature of many cyber transmissions. It also avoids the ongoing discussion as to whether cyber capabilities qualify as weapons at all, at least with respect to neutrality rules regarding operations that might pass through neutral cyber infrastructure.
The position paper does not deal with the question of whether an aggrieved belligerent may take action to put an end to its enemy’s unlawful use of neutral cyber infrastructure, whether in situ or remote, when the neutral State does not comply with its own duty to do so. The prevailing view, and that of the Tallinn Manual 2.0 experts, is that this measure of self-help is permissible. Given France’s rather traditional approach to neutrality law, it is likely to take the same position.
As to the geography of NIACs, the landscape is more contentious. Under the first view, which is advocated by the ICRC, IHL applies throughout the territory of the State that is party to the conflict and in neighboring areas into which hostilities have “spilled.” France appears to take this position because it states that IHL applies during NIACs to cyber operations in the territory of the State in which hostilities are taking place. This begs the question of whether France considers only operations initiated and ending within that territory to be governed by IHL, or whether it would include operations launched from that territory but terminating elsewhere, or vice versa. This is a critical question because of the transborder nature of cyber operations; indeed, it makes operational sense for OAGs to conduct cyber operations from territory far beyond the State so as to hinder the operational practicality of enemy responses, especially kinetic ones, without forfeiting any operational advantages.
The alternative view, and that to which I, the majority of the Tallinn Manual 2.0 IGE, and the United States adhere, is that the applicability of IHL in a NIAC is not limited geographically, but rather extends to all operations with a nexus to the conflict. The geographical limitations of the jus ad bellum continue to apply and would preclude conducting cyber operations that would breach the sovereignty of the States into which they are conducted, except when those States are unwilling or unable to put an end to the hostile operations from their territory. This approach in the cyber context is analogous to the controversial application of the standard with respect to extraterritorial lethal drone operations against terrorists in organized armed groups that are involved in a NIAC with the United States.
In the second part of this post I will examine the position paper’s views on the concept of “attack,” on the conduct of hostilities and on data as an object.
Last week, the French Ministry of the Armies (formerly the Ministry of Defense) released the most significant statement to date by any State regarding the application of international law in cyberspace. Droit International Appliqué aux Opérations dans le Cyberspace (International Law Applicable to Operations in Cyberspace) follows on the heels of an important speech by the United Kingdom’s then Attorney General, Jeremy Wright, on international cyber law last year at Chatham House. Estonia’s President has also spoken out on certain key international law rules as applied to cyberspace, which I discussed previously at Just Security. So too did the United States in speeches by the State Department’s Legal Advisers Harold Koh and Brian Egan. While other States have also proffered various comments on the subject, the UK and French are noteworthy for having staked out positions on a number of key unsettled issues.
This post will highlight the key points made in the French position paper and, where useful, compare and contrast them to statements by representatives of other governments, as well as Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, which was repeatedly cited in the French paper. A forthcoming analysis at Just Security will examine the international humanitarian law aspects of the document, which are thus excluded from my analysis below.
The most contentious debate regarding the applicability of international law in cyberspace surrounds the principle of sovereignty. The Tallinn Manual 2.0 International Group of Experts (IGE) was unanimous in the view that sovereignty constitutes both an international law principle from which various rules derive (such as the prohibitions on coercive intervention and the use of force) and a primary rule in its own right capable of being violated. For the Experts, remote cyber operations may violate sovereignty territorially, as in remotely causing effects on another State’s territory, or through usurpation of, or interference with, an inherently governmental function, as in conducting remote law enforcement searches in cyber infrastructure located on another State’s territory without its consent. The open questions were: 1) what type of effects qualified as a violation, a point on which consensus could not be reached beyond physical damage, relatively permanent loss of functionality of systems, or injury; and 2) under what circumstances are inherently governmental functions usurped or interfered with.
In his Chatham House speech, Wright challenged the characterization of sovereignty as a primary rule capable of being breached in the cyber context. The UK’s position is that no such rule can be “extrapolated” from the general principle of sovereignty. Instead, the prohibitive work of the sovereignty principle commences only when the prohibition on coercive intervention, which stems from the principle of sovereignty, is breached. This position caused many in scholarly and other governments’ circles angst, for they rightly wondered if it unnecessarily forfeited the protective value of the sovereignty rule. Indeed, when in 2018 the UK government accused Russia of having violated international law through a number of its hostile cyber operations, commentators (including myself) were left wondering how Russia had done so if there is no sovereignty rule, as the UK claimed.
France has come down firmly, and in this author’s view correctly as a matter of law and policy, on the side of sovereignty as a rule. In doing so, it has staked out a powerful position on the correct question – the nature of remote cyber operations that violate sovereignty. France contends that a hostile cyber operation against French cyber infrastructure or one causing “effects” on French territory violates French sovereignty if it has been launched by another State’s organs, persons or entities exercising elements of government authority, or by persons or entities operating under the instruction or direction or control of another State. These standards of attribution draw directly on Articles 4, 5, and 8 of the Articles on State Responsibility.
While unambiguously spurning the view that only cyber operations causing physical effects qualify as violations of sovereignty, the precise “effects” that would so qualify by the French approach are somewhat unclear. For instance, would an operation causing a system to slow down or a short-term distributed denial of service (DDoS) attack violate the target State’s sovereignty? Wherever the line is to be drawn, France’s position will spark a much-needed discussion among States on the matter.
Intervention requires, according to the ICJ, coercive acts affecting the State’s domaine réservé (areas of activity left to the State by international law), the paradigmatic example being manipulation of election results or election machinery. The French position paper, in text drawn from the International Court of Justice’s Nicaraguajudgment, sets forth France’s view that digital interference in its internal or external affairs constitutes prohibited intervention if it is likely to affect the French political, economic or social system. Of particular note, it highlights military and economic security as protected by the prohibition.
Although no mention of coercion appears in the position paper, France would presumably require coercive effect since the paper draws so directly on the Nicaragua judgement, which is typically cited as authority for the requirement. No State objects to application of the prohibition of intervention in the cyber context, as evidenced in part by its inclusion in the 2015 report of the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, bolstered by the report’s subsequent endorsement by the General Assembly.
However, further State comment and practice is needed to identify where the threshold of breach lies. The UK places particular emphasis on the issue and will presumably proffer a relatively low threshold for what constitutes coercion, as it must to compensate for its dismissal of sovereignty as a primary rule of international law. Whether the French will likewise support a broad interpretation of the rule remains to be seen, although its embrace of a stringent rule of sovereignty gives it more maneuvering room in this regard than the British enjoy.
The obligation of due diligence was recognized by the International Court of Justice in the 1949 Corfu Channeljudgment. As set forth in Tallinn Manual 2.0, the due diligence rule requires States to ensure their territory is not used as a base for State or non-State hostile cyber operations against another State that cause serious adverse consequences with regard to a right of the target State. The obligation extends to cyber operations conducted remotely from outside the State using cyber infrastructure in the State that the attacker controls. Imagine a hacking group in State X that uses the cyber infrastructure in State Y to conduct a malicious operation in State Z; in this case, State Y has a due diligence obligation to stop that use of its cyber infrastructure.
By the prevailing view, the due diligence rule is limited to situations in which the hostile operations are ongoing; there is no duty to take preventive measures such as monitoring systems for misuse. Additionally, the due diligence obligation only attaches when it is feasible for the territorial State to take measures to end the hostile cyber operations from or through its territory. Finally, breach requires actual or constructive knowledge of the misuse of the State’s territory.
Presently, the international community is split as to whether due diligence is a binding obligation in cyberspace. France, and a number of other key States in the norms discourse – such as the Netherlands, Estonia, and Finland – endorse its status as a legal rule. There is a firm basis in international law for their position. Moreover, the view is sensible, for it offers normative protection: should another State fail to put an end to harmful operations, the door opens to the taking of countermeasures (see below) on the basis of that breach, which may take the form of cyber actions against the cyber infrastructure being used to conduct the attack.
France is crystal clear on this issue, and commendably so. It asserts that failure to comply with the obligation of due diligence, including failure to terminate operations by States or non-State actors that would violate the sovereignty of another State if conducted by the territorial State, is an internationally wrongful act that may be responded to with countermeasures (discussed below).
The French position paper, however, misreads Tallinn Manual 2.0 on the relationship between due diligence and self-defense. It cites the IGE majority as taking the position that a breach of due diligence entitles a victim State to take measures in self-defense against a hostile actor conducting a cyber armed attack from a territorial State to which the attack may not be attributed. This confuses due diligence with the “unwilling or unable” test of self-defense described below. The difference is significant because due diligence envisages a response only if the territorial State is “unwilling,” since feasibility is a condition for breach. The unwilling or unable test derives, instead, from a balancing of competing rights – sovereignty and self-defense. So where exactly the unwilling or unable doctrine draws the line in that careful jus ad bellum balance may not be the same as the line drawn by due diligence. Moreover, breach of the due diligence obligation might open the door to countermeasures and other remedies provided for in the law of State responsibility, but not the use of force since resort to force buy a State requires an armed attack or authorization by the UN Security Council.
Use of Force
That the prohibition on the use of force in Article 2(4) of the UN Charter and customary international law applies in cyberspace can hardly be doubted. Indeed, the UN GGE expressly confirmed the applicability of the prohibition to cyberspace in its 2015 report. The remaining question is when does a cyber operation not causing meaningful physical damage or injury (which would clearly qualify) amount to a use of force?
States generally have not addressed this issue with any precision, instead merely opting to confirm the prohibition’s applicability (e.g., see here for UK statement). The one important exception to this trend came in an important speech by the Dutch Minister of Defence, Ank Bijleveld, in which she suggested that if “a cyber-attack targets the entire Dutch financial system…or if it prevents the government from carrying out essential tasks such as policing or taxation…… it would qualify as an armed attack.” As all armed attacks are also uses of force, a severe non-destructive attack on the Dutch economy or government could qualify as a wrongful use of force if conducted by, or attributable to, another state.
The Tallinn Manual 2.0 IGE was unable to definitively resolve the issue. Instead of setting out a threshold, therefore, it offered factors that State decision-makers are likely to consider when determining whether to characterize cyber operations as a use of force. These non-exclusive factors included severity, directness, immediacy, invasiveness, measurability of effects, military character of the operation, degree of State involvement, presumptive legality, prevailing political environment, identity of the attacker, and nature of the target.
France has adopted the Tallinn Manual 2.0 approach fully by rejecting the requirement of damage, highlighting factors that should be considered when determining if a non-destructive cyber operation crosses the use of force threshold, and emphasizing that the factors are not exhaustive. The report singles out the prevailing circumstances at the time of the hostile operation, its origin, the effects caused or sought, the degree of intrusion, and the nature of the target. It offers as examples of a use of force: (1) operations that penetrate military systems to weaken French defensive capabilities; and (2) the financing and training of groups to conduct cyber attacks against France (the latter example drawn from the Nicaragua judgment’s holding that arming and training armed groups is a use of force).
Notably, the U.S. in 2012 also used a factors-based approach in assessing what cyber operations would amount to a use of force, as expressed in a speech by then-State Department Legal Adviser Harold Hongju Koh: “In assessing whether an event constituted a use of force in or through cyberspace, we must evaluate factors: including the context of the event, the actor perpetrating the action (recognizing challenging issues of attribution in cyberspace), the target and location, effects and intent, among other possible issues.”
That the right of self-defense exists in cyberspace pursuant to Article 51 of the UN Charter and customary international law, subject to the requirements of necessity and proportionality, likewise cannot be doubted. This is so despite an unfortunate unwillingness by Russia, China and a number of other States to include reference to self-defense in the aborted 2017 GGE Report. However, many unsettled legal issues surround the exercise of self-defense and France boldly has taken a position on most of them in the cyber context.
The most noteworthy position taken by France deals with the threshold at which a cyber use of force qualifies as an armed attack, thereby affording the victim State a right of self-defense. By the French interpretation, an armed attack includes cyber operations that cause substantial loss of life or significant physical or economic damage. Cyber attacks on critical infrastructure with substantial consequences, cyber operations that paralyze whole sectors of the nation’s activities, and ones that cause technological or ecological disasters are offered as examples. The fact that France does not require physical damage or injury is especially significant and likely signals a trend on the part of States to focus on the severity of consequences in addition to their character (damaging or not). In this regard, the French position appears to go well beyond that set forth for the UK in the Attorney General’s speech, which cited “imminent threat of, death and destruction on an equivalent scale to an armed attack.” The UK position and that of other countries will likely, in the authors’ opinion, move in the general direction of the French stance over time.
France rejects the US position that all uses of force are armed attacks that allow forceful responses in self-defense. Rather it adopts the position set forth in the Nicaragua judgement that armed attacks are the “most grave” forms of the use of force, a characterization adopted by the large majority of States and scholars. As examples below the armed attack threshold, the position paper cites cyber operations that are limited, reversible and have not reached the requisite level of gravity.
Likewise, and also contrary to the US view and that adopted by the majority of the Tallinn Manual 2.0 IGE, France rejects the premise that cyber armed attacks can be perpetrated by non-State actors unless attributable to another State because they were conducted pursuant to the instructions or direction or control of that State. Interestingly, this standard derives from the law of State responsibility instead of the Nicaragua judgement’s “by or on behalf of a State…or its substantial involvement therein” threshold.
In rejecting the extension of the right of self-defense to non-State actors, France adopts a position suggested by the International Court of Justice in the Armed Activities judgement and the Wall advisory opinion. The position paper does caution that in “exceptional” cases self-defense is available against armed attacks conducted by a so-called “quasi-State” like Daesh (ISIS). It hastens to add that this should not be read as endorsing a general right of self-defense against non-State actors, but then fairly acknowledges a trend in the opposite direction.
Additionally, France adopts the “accumulation of effects” approach to armed attacks, by which individual attacks that do not reach the threshold of armed attack may nevertheless be combined to do so as long as they are launched by the same actor or by different attackers acting in concert. This is the precise approach adopted by the IGE in Tallinn Manual 2.0. France also accepts the right of anticipatory self-defense in the face of an imminent armed attack but rejects the notion of preventive self-defense. The latter can be described as a situation in which the State against which defensive action is to be taken lacks the capability to mount an attack, does not intend to attack, or attack is not “imminent” because other options to preclude it have not been exhausted.
Finally, France rejects the “unwilling or unable” approach to self-defense, which allows an injured State to conduct military operations in another State even when the attack cannot be attributed to the territorial State. The “unwilling or unable” doctrine has been championed by the United States and was accepted by the majority of the Tallinn Manual 2.0 IGE in the cyber context. It is interesting in this regard that the position paper highlights its disagreement with Tallinn Manual 2.0 rather than with other States that frequently engage in counter-terrorist operations in other countries on this basis.
Other Noteworthy Positions
The position paper repeatedly refers to the right to take countermeasures in the face of a hostile cyber operation that violates international law. Countermeasures are acts (actions or omissions) that would violate international law but for the fact that their wrongfulness is precluded because they proportionally respond to another State’s unlawful action and are designed to compel that State to desist (or to secure reparations for harm caused). The classic example is the hackback that would otherwise violate sovereignty.
Somewhat surprisingly in light of its central place in the NATO alliance and its key role in European security affairs, France rejects the position recently set forth by Estonian President Kersti Kaljulaid that collective countermeasures – that is, countermeasures taken by one State on behalf of another State that is entitled to take countermeasures by virtue of being the target of an unlawful cyber operation – are permissible. While France has substantial capabilities to respond to unlawful cyber operations, other States, including many in the NATO Alliance, do not. As a practical matter, they would need to look to friends and allies to assist them in responding to hostile cyber operations or to act on their behalf; such States are likely to, and should, follow the Estonian lead in advocating for collective countermeasures.
France also took the position that forceful countermeasures are impermissible. This view is consistent with that set forth in the Articles on State Responsibility and adopted by the majority of the Tallinn Manual 2.0 IGE in the cyber context, but disputed most famously by Judge Simma in his Oil Platforms case separate opinion. The approach would permit countermeasures crossing the use of force level, but not that of armed attack, in response to unlawful cyber operations of the same severity. Most States have remained silent on the issue, but it remains a contentious one among States that accept the “gap” discussed above between the use of force and armed attack thresholds.
Finally, France rejected an absolute duty to notify the State against which countermeasures are to be taken before mounting them. That purported obligation is found in the Articles on State Responsibility but was rejected by the Tallinn Manual 2.0 IGE on the basis that a notification requirement could deprive a countermeasure of its effectiveness. In the Attorney General’s speech, the UK also rejected the strict notification requirement as impractical if applied to cyber countermeasures. This represents a trend likely to be followed by other States.
In addition to the possibility of responding to a hostile cyber operation not reaching the level of armed attack with a countermeasure, France accepts the “plea of necessity” as the basis for responding to hostile cyber operations by means that would otherwise be unlawful under international law. Set forth in the Article 25 of the Articles on State Responsibility and found applicable to cyber operations by the Tallinn Manual 2.0 IGE, the plea allows a state facing “grave and imminent peril” to one of its “essential interests” to take those measures that are necessary to end the peril. This is so even if those measures violate the rights of other States (such as sovereignty). However, the right to act based on the plea of necessity does not arise if the responsive measures, such as hacking back, would place the essential interests of other States that are not responsible for the situation at risk, or when the State concerned is responsible for bringing about the conditions that give rise to the “necessity”
Lastly, France rejects suggestions that it is required to publicly set forth the evidence on which it bases attribution of a cyber operation to another State, a purported requirement that was likewise rejected in Tallinn Manual 2.0. However, France did support a voluntary non-binding norm in the 2015 GGE report to the effect that when possible State should generally do so.
France is to be congratulated for providing its views with such comprehensiveness and clarity. Doing so will enhance deterrence by setting forth red lines that cannot be crossed without consequences and prevent escalation due to normative misunderstanding. Hopefully, other States will soon follow the lead of the UK and France in articulating their legal positions regarding the cyber operations because normative transparency contributes to international peace and security in cyberspace. Ambiguity regarding the rules of the game in cyberspace is a dangerous, destabilizing, and self-defeating strategy.
Senior Airman Alexander Schrichte, 460th Space Communications Squadron client systems technician, performs routine technical checks on network servers, Nov. 9, 2018 at Buckley Air Force Base, Colo. (U.S. Air Force )
Over the course of just a few decades, the world has entered into a digital age in which powerful evolving cyber capabilities provide access to everyone connected online from any place on the planet. Those capabilities could be harnessed for the benefit of humanity; they might also be abused, leading to enormous harms and posing serious risks to the safety and stability of the entire world.
A strategy of international cooperation is crucial to mitigate the threats of abuse of cyberspace, primarily by clarifying the “red lines” in the field of cybersecurity and determining how to verify and enforce states’ compliance with their legal obligations in the field. The five permanent members of the U.N. Security Council (the P5) should have a decisive role in meeting this challenge. Yet while the P5 have had some success when mitigating the risks posed by weapons of mass destruction, the group is unlikely to be able to duplicate this pattern of action in cyberspace considering the rising tensions among the P5 and the geopolitical divisions in cyberspace. These divisions manifested in the 2017 failure of the United Nations Group of Governmental Experts on Information Security (UN-GGE) to produce a consensus report after two decades and five sessions of governmental groups of experts. Nevertheless, given the significance and seriousness of the risks that cyber operations pose to the safety and stability of states, giving up on collective action altogether is also unacceptable.
Currently, states have used three main modes of action to meet the challenge, which I will briefly review below. Recent developments have highlighted the mode embraced and implemented by the U.S. and its close allies: a deterrence-based approach combined with a high degree of ambiguity regarding questions of law and policy in cyberspace. However, this ambiguity undermines attempts to develop clear rules for the conduct of states in cyberspace and thereby adversely affects both the effectiveness of deterrence and the legitimacy of cyber operations conducted to compel compliance with general nonbinding norms and principles. This approach should be reconsidered in favor of a clearer and more balanced strategy that can gain at least the international acceptance of like-minded states.
Current Modes of Action
Since the failure of the UN-GGE in June 2017, key states active in cyberspace have mainly taken three separate modes of action to mitigate the threats posed in or through cyberspace. First, states have resumed international cooperation through two new parallel groups of governmental experts, instead of the one that collapsed. Both new groups act in accordance with two bidirectional resolutions, which the U.N. General Assembly adopted in December 2018. One resolution, led by the United States, established the GGE (Group of Governmental Experts) and the other, led by Russia and China, established the OEWG (Open-Ended Working Group). The two groups’ mandates have significant overlap, as both are authorized to discuss, inter alia, the development of rules and norms in the field of cybersecurity and how international law applies to the use of information and communications technologies. Importantly, the new (i.e., sixth) UN-GGE comprises 25 experts representing 25 states, including the P5, whereas the new OEWG is open to all U.N. member states. Since both groups act on the basis of consensus, we will have to wait and see whether either or both will succeed in overcoming the difficulties that caused the failure of the UN-GGE’s fifth round.
Second, states have engaged in voluntary international initiatives such as the Paris Call, the Cybersecurity Tech Accord, the Charter of Trust and the Global Commission on the Stability of Cyberspace (GCSC). These efforts were initiated by major tech corporations in cooperation with states, think tanks and civil society organizations. These private actors have stepped into the standard-setting arena largely because of a sense of societal responsibility, with a view to fill the void created by the influential states, whose strategy has been to adopt a policy of silence or ambiguity.
The common goal of all those initiatives is to articulate nonbinding norms for cyberspace and to ensure cybersecurity through international cooperation between all relevant stakeholders, inter alia, states, the private tech sector and civil society organizations. They seek to achieve this while preserving neutrality and credibility to reinforce trust and confidence in their processes. In principle, such initiatives should have included most concerned states, including the U.S., the U.K., Russia and China, but these states have refrained from officially becoming involved in such initiatives, ostensibly because they have embraced a policy of ambiguity regarding norms of conduct in cyberspace. This could be considered the Achilles heel of these initiatives—but it does not have to be so, as long as expectations remain modest and reasonable. By acknowledging that states and only states are entitled to determine what constitutes binding law in cyberspace (although adoption of such laws anytime soon seems unlikely), these initiatives have only limited and indirect impact on state practice in cyberspace. Still, they may softly and gradually influence such practice.
Third, states have embraced a deterrence-based strategy. The most powerful states in cyberspace—namely, Russia and China on one side, and the U.S. and the U.K. on the other—have funneled their efforts and resources into a vigorous cyber arms race, motivated by their own strategic considerations. The greater technological advantage gained by one side, the more intensified the mistrust and the fear in the mindset of the other. That may trigger retaliatory responses, not necessarily confined to cyberspace, to reestablish the balance of powers or to ensure mutual deterrence. Obviously, such a response is risky—but if managed cautiously, U.S. deterrence may be more successful. Still, it will probably not be enough to meet the long-term challenge of ensuring security and stability in cyberspace.
The first layer is identification and attribution, when the evidence is sufficient and public attribution may not jeopardize strategic interests. Second is naming, shaming and indicting, when the amount of evidence gathered allows it. Finally, there is lawful retaliation, mostly by retorsions such as diplomatic or economic sanctions, which are lawful acts though unfriendly within interstate relations. Although these layers of operation could be implemented consecutively or separately by any concerned state considering its self-interests in any given scenario, they were tailor-made for the U.S. and its national security interests. Unsurprisingly, the U.S. is the only state that has implemented a doctrine involving all three layers.
A short review of recent developments indicates a change in the U.S. policy in cyberspace toward more a proactive and deterrent approach to ensure compliance of states with nonbinding norms that reflect responsible state behavior.
Setting the Norms
The new National Cyber Strategy encourages “universal adherence to cyber norms: [i]nternational law and voluntary non-binding norms of responsible state behavior in cyberspace provide stabilizing, security-enhancing standards that define acceptable behavior to all states and promote greater predictability and stability in cyberspace ….” Eventually, it refers to the 2017 G7- Declaration of Responsible State Behavior, including the norms, rules and principles of responsible behavior of states consensually endorsed in the UN.-GGE third (2013) and fourth (2015) rounds, and the U.N. Charter.
This involves formalizing cooperation with like-minded states to jointly and publicly attribute responsibility for cyber attacks. Attributing the May 2017 WannaCry cyber operation and the June 2017 NotPetya operation at the outset of 2018 (see here, here and here) was a precursor to such enhanced cooperation. In October and December 2018, the U.S and its close allies, mainly its Five Eyes partners (Australia, Canada, New Zealand, and the U.K.), jointly attributed responsibility to Russia and China, respectively, for a series of cyber operations conducted by the GRU (including disruptive and destructive operations) and the group known as APT10 (including economic espionage) against numerous states (see here, here, here, here and here).
Coordinated Retaliation and Imposing Consequences
The updated National Cyber Strategy calls for the deterrence of irresponsible state behavior by imposing consequences for breaching nonbinding norms, such as those endorsed by the UN-GGE and mentioned above. This combines with the launching of an International Cyber Deterrence Initiative by a coalition of like-minded states to coordinate and support each partner’s response to significant malicious cyber incidents. The U.S. implemented this strategy by indicting Russian and Chinese governmental operatives for the GRU and APT10 operations (see here and here), in addition to personal sanctions imposed against the Russian and Chinese defendants. However, the U.S. allies had little ability to impose additional costs, especially because the targeted states are superpower states, such as China and Russia. Nevertheless, the U.K., the U.S. and the Netherlands coordinated unprecedented exposure of intelligence about GRU’s operatives, methods and cyber operations to harm its operational capabilities (here and here). The U.K. and the U.S. coordinated exposure of intelligence also against China's APT10 (here and here).
Furthermore, at the national level, Congress has adopted active defense principles toward specific states (Russia, China, North Korea and Iran). This involves removing bureaucratic restrictions and authorizing offensive-defensive actions “to disrupt, defeat, and deter” should any of the four countries conduct malicious activity in cyberspace against the U.S. and the American people, including attempting to influence American elections and democratic political processes. In the same vein, the Defense Department’s 2018 Cyber Strategy includes “defense forward” as a deterrent measure, defining it as “disrupt[ing] or halt[ing] malicious cyber activity at its source, including activity that falls below the level of armed conflict.” In other words, the policy tackles emerging threats immediately at the source and may include cyber activities below the threshold of “use of force” within the adversary’s network or territory, by virtue of the relevant authorities delegated down to the appropriate level in U.S. Cyber Command.
In the time since the power to approve specific offensive cyber operations has been delegated down, it has been used much more frequently and effectively, including in a preventive manner during the U.S. midterm elections in November 2018 (see also here). In a recent statement, U.S. National Security Adviser John Bolton emphasized the United States’s improved “capabilities across the board to engage in more offensive cyber activities” and told Russia and any other state engaged in cyber operations against the U.S. that they “will pay the price … we will impose costs on you until you get the point.”
It is worth noting that the active defense approach has been endorsed publicly by senior officials such as the British minister of foreign affairs and even the French minister of defense, who suggested France’s approval of the approach while presenting the new French national cyber strategy. Still, from the perspective of international law, the legality of this proactive approach—which may include “hack-back” actions and other intrusion operations—is questionable. It depends on the way legal terms such as “sovereignty” and “countermeasures” would be interpreted and consensually applied in cyberspace.
Ambiguity and Deterrence
In a recent article for the American Journal of International law, Yuval Shany and I present an investigation of 11 cyber operations that occurred from 2013 to summer 2018, including, inter alia, the hack of the Democratic National Committee, the hack of Sony, the Office of Personnel Management hack, and the WannaCry and NotPetya cyber operations. All these operations were deemed to be executed by states or state-sponsored groups or individuals. Our findings indicated that victim states and attackers as well have endorsed a policy of ambiguity and silence. The goal of such approach is to maintain as much leeway as possible under the legal, technological and political uncertainties of cyberspace—thus, we wrote, “[E]ven when [states] acknowledge that they were victims of cyber operations directed against them, the rhetoric they use to describe the operation and their planned reaction thereto tends not to include legal arguments or references to specific norms of international law.”
When operating under conditions of significant normative uncertainty, Shany and I argue, states employ three interrelated strategies: “optionality,” regarding international law as an optional legal framework, which states may or may not invoke and apply; “parallel tracks,” the development through state practice of formal rules backed by opinio juris and informal set of rules shaped by practice without the sense of a legal obligation, both of which can presumably limit state power; and “gradations in law enforcement,” distinguishing between violations that are likely to lead to some form of response and those unlikely to do so.
It is worth noting that states did not reference any violation of an international obligation regarding the cyber operations that were collectively attributed (WannaCry, NotPetya, and the APT10 and GRU operations). This is consistent with the strategy of optionality: Treating the applicable international law framework as optional allows states to choose whether or not to invoke the legal discourse of international rights and obligations regarding their mutual interactions in cyberspace.
Undertaking retorsions and criminal indictments coincides with the strategies of “parallel tracks” and “gradations in law enforcement.” This is seemingly a reasonable compromise between the deterrence and ambiguity considerations. Hence, despite strong rhetoric about imposing consequences as a deterring retaliation, the U.S. and its close allies have so far applied only retorsions, which are lawful acts, though unfriendly—in lieu of countermeasures, unlawful acts in response to the violation of an international obligation. Countermeasures carry the risk of qualifying as a violation of international law by itself, if undertaken mistakenly.
The U.S. determination to implement a deterrence-based approach in cyberspace in tandem with its policy of ambiguity and silence may weaken deterrence and harm U.S. credibility. It also blurs the message of adherence to the rule of law in cyberspace, which is particularly concerning at a time when the question of how international law should be applied is still open ended and the law unclear and underdeveloped.
Attributing responsibility for violating nonbinding norms and undertaking punitive or retributive measures might be legally problematic, to say the least. Moreover, any attribution claim should refer to a violation of an international obligation, which should be clear and unequivocal. Enforcing nonbinding norms or principles with no clear contents is unacceptable and contradicts basic requirements of the principle of legality, which demands strict articulation of any legal prohibition. A state that deliberately ignores nonbinding norms is not in violation of its international obligations and therefore cannot be legally subjected to countermeasures, nor can it face consequences according to the deterrence-based approach.
Obviously, the policy of ambiguity is legitimate and premised on a common objective of maintaining operational latitude that remains as wide as possible, both defensively and offensively. However, this policy may result in a vicious cycle. While it serves states’ interest in maintaining latitude, it creates a significant obstacle in establishing accountability, which requires a clear binding legal framework and an efficient enforcement mechanism—both of which have not yet been formulated and cannot be shaped under conditions of uncertainty.
Ultimately, the tit-for-tat imposition of consequences provides the U.S. and its close allies with a prominent deterrence tool to deploy against their adversaries. That might be useful against a nonstate actor or less powerful state. But when the adversary is, for instance, Russia or China, the risk of escalation is much more serious.
Bearing in mind the uncertainties regarding the rising tensions among powerful states in cyberspace, along with evolving technological capabilities, ambiguity and deterrence are not a zero-sum game. They can and should be rebalanced.
The recent collective attribution claims rely mainly on close cooperation among intelligence communities, primarily the Five Eyes and several additional Western allies. The content and amount of evidence remain classified, and the standard of proof is enunciated by short sentences or phrases such as “highly likely,” “high confidence,” “almost certainly responsible” and “highest level of probability.” That lack of transparency reinforces the adverse effect on the process’s credibility, which, in turn, may affect the legitimacy of any act taken in retaliation.
Nevertheless, there are some options that should be considered to increase legitimacy and credibility while implementing limited transparency. A priority should be reinforcing cooperation among an increasing number of like-minded states; collective attribution should involve more than a select group of states. Even more so, substantiating attribution claims also requires permanent cooperation with private cybersecurity and tech firms such as GAFAM (Google, Apple, Facebook, Amazon and Microsoft). Establishing parallel cooperation between states on the one hand and private companies on the other while maintaining national security will be a challenge. But as insurmountable as it may appear, it will be a worthy challenge to tackle.
Exactly a year ago, U.K. Attorney General Jeremy Wright made a significant step toward setting opinio juris regarding the application of international law to cyberspace. Most relevant were his comments on the principle of sovereignty in cyberspace: The U.K. does not recognize the existence of a cyber-specific rule on violations of territorial sovereignty. Furthermore, the speech negated the applicability of two traditional obligations: the obligation to provide advance notification prior to executing countermeasures and the obligation to disclose evidence justifying attribution. Moreover, the attorney general emphasized the importance of international law in cyberspace despite the restrictions this places on states’ freedom of action: “[B]ecause we believe that a rules-based international order makes the world a safer place … it must also follow that a rules-based international order can only prevail when the rules can be clearly understood and that where they are unclear we seek to bring clarity.”
Considering the recent developments in cyberspace, it is time for the U.S.—as a leading superpower in the international community, and primarily in cyberspace—to take the lead in clarifying its legal and political stances regarding the application of international law in cyberspace, particularly on essential issues such as sovereignty, nonintervention, due diligence, countermeasures, the evidentiary standard and even the boundaries of legitimate espionage. Although this will reduce the level of ambiguity, it should not necessarily remove it totally—a gradual reduction in the level of ambiguity might be even better.
The U.S. should also prioritize reinforcing international cooperation to ascertain that the International Cyber Deterrence Initiative (ICDI) does not just focus on deterrence through joint imposition of consequences. Instead, the initiative should attempt to establish accountability in cyberspace by relying on a defined legal framework that includes binding rules and clear attribution and enforcement mechanisms. This could be done in parallel or in combination with the other modes of action described at the outset. Determining how to do this will be the responsibility of the ICDI, or, more accurately, the International Cyber Accountability Initiative (ICAI) to decide.
Two decades have passed since the UN-GGE was established with the mandate to examine and recommend how to meet the challenges and close the increasing gap between international law and evolving technology in cyberspace. Time is running out. International achievements in standards setting are limited, and cyber threats are increasing exponentially. The international community, particularly democracies led by Western major powers, should enter the third decade of the digital age equipped with broadly accepted tools and strong willingness to establish accountability in cyberspace based on clear, binding rules and enforcement mechanisms.