According to open source reports, the Obama administration is considering how to retaliate against China for hacks into the US government’s Office of Personnel (OPM). Although it has hesitated to openly pin the rose on China, the reports raise questions as to how it might respond consistent with international law.
The issue of responses to harmful cyber operations has generated a fair degree of rather confused dialogue among politicians, pundits and the public. In the aftermath of, inter alia, the Sony hack and the OPM incident, it might be useful to take a by-the-numbers look at the international law governing responses to harmful cyber operations. The International Group of Experts that prepared the 2013 Tallinn Manual on the International Law Applicable to Cyber Warfare under the auspices of the NATO Cooperative Cyber Defence Centre of Excellence dealt with the topic briefly. A follow-on project, “Tallinn 2.0,” is presently underway to examine these issues in greater depth. As director for both projects, I have found the most useful lesson to be that, despite persistent claims to the contrary by international law and policy alarmists, the extant international law provides a linear structure, and robust means, for response. In the same way that international law generally balances national interests and international stability in the non-cyber realm, so too does it with respect to cyber. What follows is a summary of my approach to deconstructing the applicable law.