Un-caging the Bear? A Case Study in Cyber Opinio Juris and Unintended Consequences

On October 4, the United Kingdom’s National Cyber Security Centre (NCSC), a division of the GCHQ, issued a news release attributing multiple cyber campaigns to Russia’s military intelligence service, the GRU. They were, according to the NCSC, designed to ‘undermine [the] international sporting institution WADA [World Anti-Doping Agency], disrupt transport systems in Ukraine, destabilise democracies and target businesses’.

The release was notable in two regards. As the campaigns were conducted by the GRU, an organ of the Russian government, Russia is legally responsible under the law of State responsibility for any violations of international law that may have occurred. Second, the release stated that the operations were ‘conducted in flagrant violation of international law’. Indeed, Foreign Secretary Jeremy Hunt, whom the release quoted, observed, ‘[t]his pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences’. 

Unfortunately, neither the NCSC nor the Foreign Secretary delineated those rules of international law that Russia allegedly violated or otherwise undermined. In this post, we attempt to tease loose the legal significance of the operations by measuring them against the recently enunciated UK positions on international law in the cyber context. Attorney General Jeremy Wright set forth these positions in a 23 May Chatham House speech. We first highlight the UK approach to the key international law prohibitions that are relevant vis-à-vis the Russian operations. Second, we assess the operations themselves against the UK position on these legal rules. Finally, we conclude by making the point that legal policy decisions with respect to cyberspace may prove a double-edged sword. Compelling reasons may exist for adopting particular positions regarding international law norms in cyberspace, but seldom are those positions cost-free. In particular, we suggest that the United Kingdom’s rejection of a rule requiring respect for the sovereignty of other States eliminates its most defensible basis for arguing that the Russian cyber campaigns undermined international law. Other States should bear this in mind before following suit.

The Key UK Positions on International Law in Cyberspace

Wright began his 23 May speech by acknowledging that the entire UN Charter applies in cyberspace, including the Article 2(4) prohibition on the threat or use of force against another State’s territorial independence or political integrity. The United Kingdom had endorsed this proposition earlier in the 2013 and 2015 reports of the UN Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security.

While this stance is uncontroversial, Wright’s speech provided little clarification as to exactly what constitutes a use of force in cyberspace. However, he did proffer cyber operations that would constitute an ‘armed attack’ giving ‘rise to an inherent right to take action in self-defence, as recognized in Article 51 of the UN Charter.’ Included were interfering with ‘one of our nuclear reactors, resulting in widespread loss of life’, and ‘a hostile cyber operation to disable air traffic control systems which results in the same, ultimately lethal, effects’. Such cyber operations, if committed by States, would likewise qualify as uses of force since armed attacks are, according to the International Court of Justice in its Nicaragua judgement, ‘the most grave form[ ] of the use of force’.

The common element among those cited by Wright is that they are physically destructive or injurious. It is unclear whether the United Kingdom would treat the relatively permanent loss of functionality of cyber infrastructure as the equivalent of physical damage for the purpose of the rule, as did the experts who prepared Tallinn Manual 2.0, or whether severe, albeit non-damaging/injurious, effects of a  cyber operation would, in its view, qualify as a use of force. In the latter regard, a footnote to the Ministry of Defence’s 2016 Cyber Primer suggests that ‘a sustained attack against the UK banking system, which could cause severe financial damage to the State leading to a worsening economic security situation for the population’, would so qualify.  This viewpoint has not been expressed elsewhere by UK officials.

Wright also identified as applicable in the cyber domain the international law prohibition on the ‘external, coercive intervention in the matters of government which are at the heart of a State’s sovereignty, such as the freedom to choose its own political, social, economic and cultural system’, text that draws upon the ICJ’s Judgment in Nicaragua. He grounds this prohibition in Article 2(7) of the UN Charter and customary international law but fails to distinguish the two bases (the former only applies to UN intervention). Nevertheless, the examples Wright cites are, at least in the case of the first two, uncontentious – cyber operations ‘to manipulate the electoral system to alter the results of an election in another State, intervention in the fundamental operation of Parliament, or in the stability of our financial system’. Although similar statements on the application of the prohibition on coercive intervention in the cyber context have been made by other States, Wright rightly cautions that the ‘precise boundaries of this principle are the subject of ongoing debate between States’. 

In what was perhaps the most legally noteworthy aspect of the speech, Wright discussed ‘the regulation of activities that fall below the threshold of a prohibited intervention, but [that] nonetheless may be perceived as affecting the territorial sovereignty of another State without that State’s prior consent’. Some States and commentators, including one of the authors, are of the view that certain cyber operations violate the target State’s sovereignty because they either result in particular consequences on the territory of that State or interfere with its inherently governmental functions, such as law enforcement, the conduct of elections or national defence. For them, the issue is not whether cyber operations can violate international law, but rather identification of the criteria by which they do so. Wright explains that the UK position is to the contrary, that there is no ‘specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention.’ This position is akin to that taken by a several US practitioners affiliated with the US Department of Defence who have opined in their personal capacity on the subject. It remains to be seen whether, and if so how, the recent Trump administration’s emphasis on US sovereignty will influence the internal debate on the matter.

Legal Assessment of the Russian Cyber Operations

With these key elements of the UK positions summarized, we return to the Russian operations listed by the NCSC, at least some of which are apparently flagrant violations of international law in the United Kingdom’s view. The effects of the operations, which play the central role when determining their legal character, fall into three categories.

Damage, including loss of functionality

• Hard drives encrypted and cyber infrastructure rendered inoperable, resulting in disruption of the Kiev metro, Odessa airport, Russian central bank and two Russian media outlets (2017)
• “Destructive cyber attack” on Ukrainian financial, energy and government sectors that spread to European and Russian businesses (2017)

Exfiltration and release of information

• Exfiltration and release of international athletes’ confidential WADA medical files (2016)
• Exfiltration and release of US Democratic National Committee emails (2016)
• Exfiltration of emails from a UK-based TV station (2015)

Acquisition and attempted acquisition of access

• Infection of home and small business computers, potentially enabled control of the infected devices, rendering them inoperable, and intercepting or blocking network traffic (2017)
• Access to Organisation for the Prohibition of Chemical Weapons (OPCW) computer networks (2018)
• Compromise various computer systems, including those of the UK Defence and Science Technology Laboratory and Foreign and Commonwealth Office (FCO) (2018)

The question is whether these operations violated international law and, if so, which rules. A key factor in the first category is the causation of damage, especially in the form of loss of functionality of the affected cyber infrastructure in Ukraine. Knock-on, or even direct, effects on the Russian systems can be ignored because Russia cannot engage in an internationally wrongful act against itself (although it can commit, as mentioned below, human rights violations).

Russia’s encryption of Ukrainian hard drives and the rendering inoperable of Ukrainian cyber infrastructure disrupted transportation systems, banks and media outlets in the country. As noted earlier, it is not known whether the United Kingdom extends the use of force prohibition to such operations. Should it support the loss of functionality approach, the operations in question might qualify as a use of force. This would depend on whether the United Kingdom would attach a severity requirement to the qualifying loss of functionality and, assuming it did, the threshold at which it was set. As to the disruptions that occurred, the harm cited by the NCSC does not appear to have risen to the extremely acute level suggested in the MOD Cyber Primer, which was illustrated with a financial attack affecting the entire population.

With respect to prohibited intervention, the analysis is more difficult. Intervention has two elements – interference with the domaine réservé of another State and coercion. In other words, there must be an attempt to cause a State to act in a way it would otherwise not act, or refrain from acts in which it would otherwise engage (coercion), with respect to a sphere of activity that is reserved to States in the sense that it is generally unregulated by international law (domaine réservé). The determinative question is therefore whether Russia was seeking to alter Ukraine’s decision making as to matters reserved to that State, the paradigmatic example being the ‘freedom to choose its own political, social, economic and cultural system.’ Without knowing Russia’s intent, it is difficult to conclusively label the operations as either coercive or intruding upon the domaine reserve.

The most likely characterization of the Russian cyber operations would be violation of Ukrainian territorial sovereignty, for the operations unfolded on cyber infrastructure located in Ukraine. As noted, consensus is lacking among those in academia and governments, including the authors of the Tallinn Manual 2.0, regarding the precise criteria for a breach of sovereignty by cyber means. However, this question is moot for the United Kingdom since it has rejected the existence of an international law rule safeguarding sovereignty in the first place.

The operations that would appear highly susceptible to characterization as unlawful breaches of sovereignty are the ‘destructive’ cyber operations targeting Ukrainian financial, energy and government sectors. The NCSC appears to be referring to the NotPetya cyber operations we analysed in a previous EJIL: Talk! post. In that case we were unable to definitively conclude that NotPetya was either a prohibited use of force, because of the severity of the consequences issue, or a prohibited intervention, due to a lack of evidence as to coercive intent. In our estimation, NotPetya at least violated Ukrainian sovereignty, but, again, that depiction of the operations is unavailable to the United Kingdom, per the views expressed by the UK’s own Attorney-General. 

It should be cautioned, as we did in our prior post, that any analysis of cyber operations by Russia against Ukraine is complicated by the oft-forgotten or frequently ignored existence of an international armed conflict between the two States to which international humanitarian law (IHL)applies. It seems, although we cannot be certain, that the NCSC did not take IHL into account when tendering its conclusions, for there is neither mention of armed conflict nor does the NCSC distinguish between the cyber campaigns against the Ukraine and the other targeted States and organizations. There is also the further question, which lies beyond the scope of this post, as to the continued viability of the prohibitions on the use of force and intervention, and the requirement to respect sovereignty, as between opposing belligerents during an international armed conflict.

Turning to the second category of effects, the exfiltration and release of the TV station’s emails, confidential OPCW medical files, and DNC emails raise no use of force issues. Nor would the first two would constitute coercive intervention. An argument could be fashioned that the DNC operations qualified as such because elections clearly fall within the United States’ domaine réservé, but making the case that mere release is coercive is challenging. In this regard, note that the United States has issued no official declaration that the DNC hacks constituted unlawful intervention.

An interesting question is whether these operations violated international human rights law. There is wide consensus that human rights attach in the cyber context. For instance, this premise is advocated by the Human Rights Council and has appeared in the UN GGE reports cited above. The UK Attorney General took the same position in his speech, albeit only briefly, and it is one with which we agree. Of particular note is Article 8 of the European Convention on Human Rights, to which Russia is Party. It provides that ‘[e]veryone has the right to respect for his private and family life, his home and his correspondence’ and sets forth the limited criteria (none are relevant in these cases,)by which a public authority may interfere with said rights. The International Covenant on Civil and Political Rights contains similar protections in Article 17.

The crucial issue is extraterritorial application of the human rights protections since the individuals affected by the exfiltration and release were located outside Russia. Although the matter is both complex and somewhat contentious, the prevailing view, in broad strokes, is that extraterritorial application of human rights obligations requires effective control by the State concerned over the person affected (personal model) or the territory on which the operation takes place (spatial model) (for an excellent discussion on these bases, see here). The available facts do not provide a basis for finding that Russia exercised either form of control in the above-listed cases.

One possible exception would be the rights of any Russian athletes then located in Russia whose medical data was stored in the WADA database. The open source accounts are insufficient to determine whether a violation occurred, but the human rights of any such Russian athletes were at least implicated by the GRU activities. We also note the NCSC’s report that encryption of hard drives and other operations cited in the first category above also affected the Russian Central Bank and Russian media. Again, without further information, it cannot be said that the activities violated any human rights obligation owed those affected. However, the fact that affected individuals were located on Russian territory means that their human rights, such as the rights to privacy or expression, were implicated.

The best argument for unlawfulness is that these remotely conducted exfiltration and release operations violated the sovereignty of the States into which they were conducted. For instance, the DNC hack and subsequent release of the emails arguably interfered with the inherently governmental activity of conducting elections, while all of the operations raise questions of territoriality. But because the United Kingdom has spurned a rule of sovereignty, and despite the fact that some of the operations undeniably violated the domestic law of target States (as illustrated by the US indictment of GRU officers), the United Kingdom would face an uphill battle in making the case that the operations violated international law.

The last category cited by the NCSC includes Russian operations that only acquired, or attempted to acquire, access to the systems concerned, but in which there was no subsequent exploitation. That the Russian operations led to the infection of home and small business computers and that the GRU attempted to access OPCW, DSTL and FCO computer systems are unlikely to support a conclusion that there were either actual or attempted international law violations. Once again, unauthorized access is a domestic law violation in most jurisdictions. But given that access alone usually produces only de minimis effects on the targeted system, there is general consensus that mere access does not violate international law. This is so even for those who take the position that sovereignty may be violated on the basis of territoriality or interference with inherently governmental functions. Along these lines, it is widely accepted that espionage does not breach any international law prohibition. It should be noted, however, that access is only the initial aim of most cyber operations (DDOS operations being the primary exception as they do not require access to the target system); follow-on operations exploiting that access may constitute violations.

Nevertheless, operations against the OPCW might have violated the Convention on Chemical Weapons, which mandates cooperation between Parties in achieving its purposes, establishes dispute-resolution mechanisms and sets forth the privileges and immunities of the organization. Conducting hostile cyber operations that would threaten the activities of the OPCW in response to its investigation of the Salisbury attack of 2018 would appear to run afoul of these provisions, as well as the general pacta sunt servanda duty of States Parties to a treaty to perform its obligations in god faith.

Finally, it must be acknowledged that the UK government was not alone in condemning the Russian cyber campaigns. For instance, Dutch Defence Minister Ank Bijleveld noted with respect to at least the OPCW operation that ‘GRU cyber operations such as this one undermine the international rule of law’. However, because the OPCW is based in the Netherlands and because that country has not repudiated the existence of a sovereignty rule, her assertion is on relatively firm ground. Similarly, Global Affairs Canada citing, inter alia, the operation against the WADA, which is based in Canada, and that against the OPCW, observed that such activities ‘underscore the Russian government’s disregard for the rules-based international order, international law and established norms’. Yet, like the Netherlands, Canada’s assertion is internally consistent, for, like the Netherlands, Canada has not objected to a rule of sovereignty. Similar statements highlighting international law were issued by, inter alia, the EU, Australia, and France. Unfortunately, none of the aforementioned statements set forth the specific rule(s) that were being undermined by the Russian operations. They are thus of only limited value in helping to address the uncertainly surrounding binding norms for cyberspace.

Consequences of the UK Positions

The NCSC news release portrays the Russian cyber campaigns as ‘indiscriminate and reckless’, as well as destabilising. The evidence irrefutably confirms these characterizations. However, in our view, it is difficult for the United Kingdom to categorically establish that they were in ‘flagrant violation of international law’, although we believe that a number of them do justify that characterization. This is because the operations in question do not fit neatly into the unambiguous aspects of the rules prohibiting the use of force and coercive intervention, and because the United Kingdom has dispensed with the violation of international law that could have been most plausibly claimed, a breach of the target States’ sovereignty.

And therein lies the dilemma. On the one hand, any suggestion that there is no basis for asserting that a rule of sovereignty exists is disingenuous. The very fact that the issue is a contentious topic in serious legal and policy circles demonstrates as much. But on the other, and in the United Kingdom’s defence, it is at least arguable that cyber operations are sui generis in the sovereignty context or that, after all, customary law is made in the breach. Indeed, there are colourable legal-policy and operational rationales for viewing a rule of sovereignty as an obstacle to cyber operations that enhance national security.

The point is that a State taking this position must understand, as the cases discussed above illustrate, and as did the 2017 WannaCry ransomware operations by North Korea, that very few malicious cyber activities by other States can unequivocally be characterized as violations of international law absent a rule of law protecting sovereignty. On the contrary, because the criteria for engaging in a prohibited intervention or use of force are both demanding and ill-defined, the ‘sovereignty is not a rule’ position affords other States the flexibility to act in an ‘indiscriminate and reckless’ manner while claiming to operate within the boundaries of international law.

States wishing to promote stability and cooperation in cyberspace should consider this reality before expressing opinio juris that will deprive them of the opportunity to use law as a normative firewall that helps secure their cyberspace. They should also be sensitive to the fact that rejecting a rule of sovereignty deprives them of the most likely legal basis for taking cyber or non-cyber ‘counter-measures’ (proportionate acts that would be unlawful but for the fact that they are designed to compel another State to comply with its own obligations) in the face of hostile cyber operations. And Western States have often made the point, for instance in the face of Russian and Chinese opposition to mention of self-defence and IHL in the aborted 2016-2017 GGE report, that cherry-picking international law norms is not a productive way to advance the dialogue. Their opposition to the tactic is principled and practical.

Ultimately, we believe States can enhance stability in cyberspace by publicly articulating their legal positions regarding operations therein, both with respect to their broad legal policies and as to specific incidents, with granularity. This is because normative clarity enhances deterrence and minimizes the risk of escalation. Sadly, most States are showing little dispatch in doing so.

 The views set forth in this post are those of the authors in their personal capacity and should not be interpreted as necessarily reflecting those of the US government or any component thereof.