According to open source reports, the Obama administration is considering how to retaliate against China for hacks into the US government’s Office of Personnel (OPM). Although it has hesitated to openly pin the rose on China, the reports raise questions as to how it might respond consistent with international law.
The issue of responses to harmful cyber operations has generated a fair degree of rather confused dialogue among politicians, pundits and the public. In the aftermath of, inter alia, the Sony hack and the OPM incident, it might be useful to take a by-the-numbers look at the international law governing responses to harmful cyber operations. The International Group of Experts that prepared the 2013 Tallinn Manual on the International Law Applicable to Cyber Warfare under the auspices of the NATO Cooperative Cyber Defence Centre of Excellence dealt with the topic briefly. A follow-on project, “Tallinn 2.0,” is presently underway to examine these issues in greater depth. As director for both projects, I have found the most useful lesson to be that, despite persistent claims to the contrary by international law and policy alarmists, the extant international law provides a linear structure, and robust means, for response. In the same way that international law generally balances national interests and international stability in the non-cyber realm, so too does it with respect to cyber. What follows is a summary of my approach to deconstructing the applicable law.
1) Is the operation an “armed attack” under Article 51 of the UN Charter and customary international law? Armed attacks undeniably include all cyber operations that cause significant physical damage or injury. In my view, they also include those that seriously impair the functionality of critical infrastructure or that otherwise have devastating non-physical effects, such as crippling a State’s economic system (although I concede that the law on non-destructive cyber operations and armed attacks remains unsettled). If the operation is an armed attack, the victim State may respond with kinetic or cyber operations at the UN Charter Article 2(4) “use of force” level, including destructive actions, so long as the response comports with the self-defense requirements of proportionality and necessity and the temporal limits of imminence and immediacy. Opinion is divided as to whether a cyber attack by a non-State actor, like a hacktivist or terrorist group, that is not attributable to a State may qualify as an “armed attack”. I believe it can, as do most States that have proffered an opinion on the subject.
2) Does the cyber operation represent a “grave and imminent peril” to the “essential interests of the target State? If so, pursuant to the “plea of necessity”, as set forth in Article 25 of the Articles on State Responsibility), the State may respond with cyber or non-cyber measures (such as hack backs that shut down cyber infrastructure abroad that is used to mount the harmful operations) that would be unlawful but for the situation of necessity. Although a response might violate the sovereignty of the State concerned, it would be lawful to put an end to the peril unless the response poses a grave and imminent peril to that (or another) State’s essential interests.
There are certain obstacles to relying on the plea as the basis for response. First, it only lies in exceptional circumstances. Second, the terms “grave” and “essential” are vague, although the cyber operations against critical infrastructure or the economic system cited above would surely qualify, thereby affording an option for response that some experts suggest is unavailable in the context of the law of self-defense because the threshold of “armed attack” has not been reached. Third, it is uncertain whether responses at the use of force level are permissible (I take the position that they are not). Finally, the plea of necessity should be resorted to only as a last resort; in other words, it must be the only means available to resolve the situation.
However, a significant benefit of the plea of necessity is that there is no requirement (as in the case of countermeasures, discussed below) that the originator of the harmful cyber operation be a State. Thus, responses based on the plea are permissible even if non-State actors have targeted the State or the identity of the originator of the harmful cyber operation is uncertain or unknown.
3) If it does not qualify as an armed attack, and does not qualify for a response based on the plea of necessity, is the harmful operation nevertheless an “internationally wrongful act” by a State or one attributable to a State under the law of State Responsibility? In other words, does it violate an international law obligation owed by one State to another?
There are a number of possibilities in this regard. The cyber operation in question might violate a treaty obligation owed to the target State, as in conducting a cyber operation that violates particular terms of an agreement regarding shared use of cyber infrastructure or governing operations from the other State’s territory. Or the operation could qualify as an unlawful intervention because it is coercive in nature and intrudes on the matters exclusively within the purview of the target State. Examples include interfering by cyber means with another State’s elections or engaging in law enforcement activities on another State’s territory without that State’s consent.
Perhaps the most likely form of internationally wrongful act in the cyber context is a violation of the target State’s sovereignty. In this regard, it makes no difference whether the operation targets government (e.g., OPM) or private (e.g., Sony) cyber infrastructure. The relevant legal consideration is that since the infrastructure lies on the State’s territory, the State, with a few minor exceptions, enjoys sovereignty over it.
It should be cautioned that there is a lack of agreement as to when one State’s cyber operation violates the sovereignty of another. Consensus appears to exist that it does if physical damage or injury result. It also seems logical that if the operation requires repair to restore functionality, sovereignty has been breached. Beyond these clear-cut cases, agreement breaks down. My view is that if the cyber operation destroys or alters data or somehow makes the cyber infrastructure operate in a manner in which it is not intended to operate, the sovereignty of the State where the cyber infrastructure is located has been implicated. I would likewise categorize emplacement of malware on another State’s infrastructure as a violation if the malware is designed to do more than monitor activities.
Less clear are situations involving exfiltration of data, as in the OPM hack. In my estimation, the OPM operation was not a violation of US sovereignty. In this regard, paragraph 16.3.2 the new Department of Defense Manual hints that such operations do not violate sovereignty when it states that, “Generally, to the extent that cyber operations resemble traditional intelligence and counter-intelligence activities, such as unauthorized intrusions into computer networks solely to acquire information, then such cyber operations would likely be treated similarly under international law.” The State practice regarding exfiltration appears so thick, and the condemnation on the basis of international law so muted, that I find it implausible to argue that sovereignty is violated by these commonplace cyber operations.
One must be careful, however, not to assert that such operations are lawful because they constitute espionage, which is lawful in international law. In fact, espionage is neither lawful nor unlawful; rather, international law fails to address it per se. Some acts of espionage, such as mere exfiltration of data are not, as explained, unlawful. Others, such as engaging in close-access operations on another State’s territory, are obvious violations of sovereignty. It is the underlying act that determines the legality of such cyber operations, not the fact that they are engaged in for the purpose of espionage.
4) If a cyber operation qualifies as an internationally wrongful act, are cyber (or non-cyber) countermeasures allowed as a response? Countermeasures (described in Articles 22 and 49-54 of the Articles on State Responsibility) are otherwise unlawful actions taken by an “injured State” (the State with respect to which the obligation has been breached) against the “responsible State” (the State that engaged in the wrongful act) to compel the responsible State to desist in its unlawful conduct. The classic case is a hack back that would violate the sovereignty of the responsible State absent its qualification as a countermeasure. Note that there is no requirement that the response be in-kind or in violation of the same norm that was breached by the responsible State.
There are many limitations and restrictions on the taking of countermeasures since, after all, they are acts that would violate international law but for the responsible State’s wrongful conduct. Most importantly, countermeasures are only available in response to an internationally wrongful act, thus excluding their use in, for instance, the OPM case. They may not be designed to punish the responsible State, but instead are permissible solely to compel it into desisting from continuing its wrongful cyber operations. Thus, they are only available while that State is engaging in the wrongful conduct (or likely to continue to engage in it in the future). Countermeasures must be proportionate (not in the ad bellum or in bello sense of the term) to the actual harm caused by the responsible State’s wrongful cyber operation and to the gravity of the breach of law in question. Before taking a countermeasure, the injured State must call upon the responsible State to discontinue its wrongful actions and notify that State of the injured State’s intent to take countermeasures if it does not. This obligation is subject to a condition of feasibility because notification might allow the responsible State to block or otherwise frustrate the countermeasure. However, since countermeasures are designed to make the responsible State stop the offending cyber operation(s), the responsible State must somehow be made aware that the acts comprising the countermeasures is related to its misconduct. Once the wrongful cyber operation has ended, the countermeasure must be terminated. It should be cautioned that a countermeasure against a responsible State could violate obligations owed by the injured State to other States. When this is the case, countermeasures are impermissible and only resort to the plea necessity (and in some cases self-defense) may justify a cyber response affecting the rights of third States.
Private actors may not engage in countermeasures unless doing so on behalf of a State. Moreover, as noted, countermeasures may only be taken in response to wrongful acts by or attributable to States. For instance, they may not be conducted in reply to a non-State actor’s cyber operation unless a State “directed or controlled” the operation, in which case it would be attributable to that State, as explained in Article 8 of the Articles on State Responsibility. That said, if a State is in breach of its “due diligence” obligation to ensure its territory is not used for purposes harmful to other States, it has committed an internationally wrongful act that opens the door to countermeasures against that State for its unwillingness to control activities on its territory. As I have explained elsewhere, in such cases the countermeasure may consist of a cyber operation against the non-State actors because the wrongfulness of the breach of the territorial State’s sovereignty would be precluded on the basis that the countermeasure responds to the State’s failure to meet its due diligence obligation.
5) If the cyber operation does not qualify as an internationally wrongful act, is the State left defenceless? What is often missed is that a State may always engage in acts of retorsion. Acts of retorsion are lawful but unfriendly actions taken against another State. An example in the cyber realm is economic sanctions conducted by cyber means such as blocking access to websites of another State’s companies or denying access from that State to cyber infrastructure on the territory of the State engaging in the retorsion. In the OPM case, for instance, although the operation was not an internationally wrongful act, the United States could respond in kind by engaging in operations to exfiltrate Chinese national security data (assuming arguendo that China is behind them).
As should be apparent, international law provides sufficient bases for responses by States to most cyber operations. And, of course, the discussion above is without prejudice to the numerous grounds for asserting jurisdiction over harmful cyber operations that violate their domestic law. It would appear that the obstacle to effective State responses is not the existence of normative voids in cyberspace, but rather tends to be a failure to think through how existing law applies or to do so in a slapdash manner.