By: Yuval Shany.
Active defense in cyberspace may involve operations taking place outside the network boundaries of a potential victim of a harmful cyber operation and intrusion into the attacks computer system or its cyber infrastructure with a view to collect information about the identity of those behind the cyber operation (e.g., ‘beaconing’), or with a view to inflict harm on the attacker’s software, hardware or data either in order to stop an ongoing cyber-attack, to prevent a future one and/or to deter the attacker or others from doing so. This ‘hunted becomes the hunter’ situation can be resorted to by governments – either in response to an attack against government cyber infrastructure or private cyber infrastructure subject to its jurisdiction, or by private actors whose own infrastructure was breached.
Much of the discussion about the legality of such ‘hack backs’ revolved in the last two years around domestic legislation and legislative initiatives that tries to legalize active defense by exempting it from criminal legislation that outlaw computer crimes or by authorizing the government to engage in such policies. Two prominent examples are the Active Cyber Defense Certainty Bill (ACDC) from 2017 and a planned German hack back bill. My focus in this post is, however, on the legality of such practices under international law.
The question of the legality of active defense measures revolves to a large extent on how the initial attack and the response are qualified under international law rule governing international stats relations and conduct. As is well known, the Tallinn 2.0 Rules define the use of force quite restrictively, mostly requiring physical harm to hardware or to end-point objects and excluding harm to data, and temporary computer dysfunctionality – such as that typically caused by DDOS attacks. Furthermore, an armed attack requires according to the ICJ Nicaragua judgment a use of force of a significant scale and effect, implying that even if physical harm has been caused it can justify response in self-defense in exceptional cases. Add to that the ICJ Wall Opinion and Congo v Uganda judgment, which reject the possibility that non-state actors will be responsible for an armed attack under the Charter – and the fact that many cyber operations appear to be executed by non- state actors. The upshot is that one is left with an almost impossibly high threshold of justifying ‘hack back’ measures as a form of self-defense under international law.
Still, this is not the end of the relevant legal analysis. Cyber operations falling short of use of force, may still be regarded as violation of the principle of state sovereignty if, according to the Tallinn Manual, the operation causes significant harm to the cyber infrastructure in the target state or usurp inherent government functions, including potentially manipulation of elections. This standard does not present a clear threshold of harm, nor is there consensus around the legal status of sovereignty – is it a rule or principle, and whether international law bars operations that do not violate the non-intervention rule, which according to the Nicaragua judgment should feature an element of coercion. Still, if the threshold is crossed – then counter-measures, including counter-cyber operations not amounting to a use of force, may be resorted to – but subject to a number of conditions I will immediately address.
Below the threshold, there seems to be a grey zone of operations that inflict some harm on cyber infrastructure – such as temporary shutdown, data theft, opening a back door or alteration of functionality through malware – without too serious repercussions, which may consequently fall below the level regulated by inter-state rules on cyber operations. In this grey zone, operations – although disruptive of business and other activity – do not clearly violate international law, and as a result do not give rise to the right to apply counter-measures under the laws of state responsibility. At the same time, certain responses – even ‘hack backs’, which remain inside the grey zone do not violate international law either.
A look at the international laws governing counter-measures renders the picture even more complicated. First, the framework of counter-measures under international rules on state responsibility may allow a counter-cyber operation falling short of the use of force only if it were to meet certain conditions, the most demanding of which is article 52 of the Articles on State Responsibility, which requires a notification and/or call on the state to fulfil its obligations. Clandestine and immediate ‘hack backs’ would clearly not meet this requirement. It is this element that the UK Attorney General identified in his Chatham House speech of 23 May 2018 when he commented that – “In such circumstances, we would not agree that we are always legally obliged to give prior notification to the hostile state before taking countermeasures against it.” Thus, a tension exists between the purpose of the counter-measures under the laws of state responsibility – which is a return to a state of legality – and the potentially retaliatory or escalatory effect of active defense in state practice.
The UK Attorney General did identify also another complicating factor – which is the need by the responding state to be confident about the source of the operation before responding. Indeed, counter-measures can only be applied against the state which has violated international law. This is a challenge due to the well-known problem of attribution of cyber operation, which is created by the use of decoys, anonymous account, slave-computers and the like, which may lead to mistaken identification of the attacking state. One can note that questions related to information about the source of the attack are also key in assessing the proportionality of the counter-measure and in ensuring that it remains below the use of force threshold. For example, taking down a server without knowing what systems and services depend on it, could have unforeseen circumstances - which may run afoul, for instance, with precautionary obligations under IHL and good faith obligations under general international law. This is why automatic ‘hack back’ systems, reacting without meaningful human control or supervision or comparable safeguards – which can be manipulated by decoys and strings of computers – would be highly undesirable and probably unlawful under international law.
Yet, another complication arises from the role of private actors in cyber operations. International law regulates, generally speaking, the conduct of states and IGOs, and through them the conduct of other actors. It is thus for states to ensure that individuals do not abuse their territory to harm the rights and interests of other states, by exercising due diligence over private actors located under their jurisdiction. Hence, in cases involving private individuals, states may be subject to counter-measures only if it is shown that they have failed to meet their due diligence duty to prevent an unlawful cyber-operation.
There is thus another grey zone – the activities of private actors which state could not have reasonably prevented. And the same logic applies in the other direction – the responding state must exercise due diligence to prevent unlawful harms caused by private vigilantes engaged in private ‘hack backs’. The upshot may be that activities that fall short of the harm threshold and/or the reasonable expectations of state vigilance do not implicate the responsibility of the state. But in practical terms it may be very difficult for states to calibrate their supervision so as to prevent only significant harms caused by private actors, especially since the ‘hack backers’’ ability to control harm and identify the right target for response are in themselves fairly limited. Turning a blind eye to any private active defense may as a result violate due diligence standards for the territorial state.
It seems thus that international law provides only limited guidance to states on how to regulate and address active defense – public and private. As indicated before domestic law – criminal law and civil law – may provide some further limits on the activities of hackers and ‘hack backers’. From that perspective, moving to decriminalize ‘hack backs’ may remove an important safeguard against further abuse, and escalation.
Moreover, we are seeing, increasingly, a move towards the development of another layer of norms in international relations – informal norms, which states expect one another to observe, which regard even operations that do not meet the harm threshold – because they involve data theft or temporary loss of functionality – as unfriendly acts, to which they respond through retorsions. That is, acts which do not violate international law but deny states privileges or concessions, such as economic sanctions or below the threshold retaliation.
We have seen in recent years the US respond with open sanctions and perhaps also to covert below the threshold activity to the North Korean attack against Sony Pictures, and with a combination of diplomatic and economic sanctions and criminal investigation to the interference in the 2016 elections. In a paper by Dan Efrony and I, published last year in AJIL, we argued that retorsions constitute the preferable mode of response by states to cyber operations, since it relieves them from the need to make a public attribution case (which may be based on confidential intelligence/undeclared cyber capabilities), and to clarify the legal standards applicable in cyber space.
Such an approach seems to assume that relations between states are based on principles of international law – such as prohibition of use of force, non-intervention and due diligence, and on principles of friendly relations – such as non-interference and cross-border crime prevention, which are based not on legal obligations but on reasonable expectations as to standards of conduct among states.
Active defense measures – which traverse the line between counter-measures (or even use of force in self-defense) and retorsions, depending on the harm inflicted and the degree of state awareness to the active defense action – are governed according to this approach by both formal and informal frameworks. Since in practice states prefer to keep their active defense policies and specific applications thereof below the radar screen, they must deal with it under the informal rules governing acts of retorsion – which in practical terms require limits on the overall harm inflicted and effective control over the act itself or the actor – and include an expectation of proportionality between the harm caused and the level of response resorted to.