Normative Voids and Asymmetry in Cyberspace

[Editors’ NoteThis post is the latest installment of our “Monday Reflections” feature, in which a different Just Security editor examines the big stories from the previous week or looks ahead to key developments on the horizon.]

Since the alleged North Korean cyber operation against Sony in late November, it has become de rigeur to engage in “enemy at the gate” rhetoric. Referring to “how the Internet and cyber operates,” even President Obama described the situation as “sort of the Wild West,” adding “part of the problem is you’ve got weak States that can engage in these kinds of attacks, you’ve got non-State actors that can do enormous damage.” Such a dire portrayal of the current state of cyber affairs on the part of a world leader not known for hyperbole deserves serious attention.

First, the easy part–the analogy to the Wild West. The President appears to have succumbed to the incessant refrain that cyber operations exist in a normative void. But they do not. The legal principles of sovereignty, due diligence and non-intervention; the law of State responsibility; air and space law; the law of the sea; international telecommunications law; diplomatic law; human rights law; the jus ad bellum regulating the resort to force; international humanitarian law; and the law of neutrality, inter alia, contribute to the normative tapestry governing cyber operations. There is plenty of law; the challenge lies in ascertaining how that law applies in the cyber context, a process frustrated by the tenacious myth of normative voids.

Nor does cyber space qualify as the Wild West on the ground that any applicable law is unenforceable. True, it is sometimes difficult to attribute cyber operations; but at other times it is decidedly not, especially when multiple intelligence and information sources are fused, as is typically the case. By way of example, determinations may be made on the basis of cyber forensics coupled with information from human sources (HUMINT) and communications intercepts (SIGINT). And international law does not require States to be correct; it only requires them to be reasonable when arriving at, and acting on, their conclusions.

The ongoing Sony-North Korea discussion also illustrates a tendency to oversimplify the available response options. Some commentators assume that if the cyber operation was not an “act of war” (an outmoded term referring essentially to an “armed attack” under modern jus ad bellum), responses are highly limited. On that view, the only legal responses are acts of retorsion (an unfriendly albeit lawful act) or law enforcement. Economic sanctions illustrate the former, whereas the indictments of five Chinese PLA hackers exemplify the latter. These actions do not appear to add much to the U.S. legal arsenal because they would be lawful options for the United States to undertake even if North Korea did not violate international law.

But the options are actually more granular. For instance, if carried out by North Korea, the Sony operation violated U.S. sovereignty, and thereby constituted an “internationally wrongful act.” This opened the door to U.S. countermeasures–otherwise unlawful measures taken by an “injured State” to compel a “responsible State” to desist in its own unlawful behavior and make appropriate reparations. Such actions need not be in kind (i.e., they need not be cyber in nature), but are subject to limitations such as a requirement of proportionality and a prohibition on acting solely for punishment or retribution. There is speculation that the United States may have briefly brought down the rudimentary North Korean network in mid-December; if so, the step would arguably qualify as a countermeasure.

So, labeling cyber space a Wild West is counter-normative and counter-factual because there is an abundance of international law governing cyber space and the customary international law enforcement mechanisms are fully available. However, the second concern expressed by the President—asymmetry—is well founded. The Department of Defense defines asymmetric operations as those involving “the application of dissimilar strategies, tactics, capabilities, and methods to circumvent or negate an opponent’s strengths while exploiting his weaknesses.” As President Obama correctly suggested, cyber operations can level the playing field for States and non-State actors facing better-equipped and resourced foes. Indeed, the more developed a State, the more dependent it will be on cyber space and the more likely it is to be vulnerable to cyber operations mounted by an opponent operating asymmetrically through cyber space.

A number of factors lend cyber operations their asymmetrical utility. They are relatively cheap because what is primarily required is expertise, and such expertise is readily available. Additionally, cyber operations can make possible widespread and reverberating effects beyond those that would be attainable by other means. As an example, surgically targeted malicious cyber operations could weaken a target State’s economy (e.g., by undercutting confidence in its banking system) with unprecedented speed and scope. In modern warfare, cyber operations can also dramatically diminish the impact of distance, render traditional physical or kinetic defenses ineffective, penetrate the enemy’s operations and make an opponent’s decision-making highly transparent. And, because publically disclosing whether, and how, a target State knows the source of a malicious operation may reveal that State’s cyber capabilities, its response to a cyber attack may appear to be either an unlawful first-strike or precipitous response.

The current rules of international law create asymmetry in three realms of cyber activities: 1) cyber operations “below the threshold” of an armed attack implicating the law of State responsibility; 2) cyber operations in response to an armed attack under the law of self-defense; and 3) cyber operations during an armed conflict.

As to those that are below the threshold, cyber capabilities afford a State the means for acting in situations in which it would otherwise be relatively powerless by enabling it to inflict significant harm on a stronger State or on persons or entities located on the stronger State’s territory. However, as a matter of international law, the weaker State is not in an advantaged position because the injured State may respond with proportionate countermeasures. Moreover, the countermeasures need not be in kind, thereby allowing the more powerful State to leverage its relative strength in areas other than cyber when taking countermeasures. As a practical matter, the injured State may not wish to reveal how (or even whether) it knows the responsible State conducted the cyber operations or that the injured State has responded with cyber operations. But while this factual reality may temper the willingness of an injured State to respond, it does not affect its legal right to do so.

By contrast, non-State actors enjoy asymmetrical advantage at the below the threshold level because countermeasures may be taken only against States. Therefore, a targeted State is generally limited to law enforcement (a particularly difficult proposition vis-a-vis transborder cyber activities) in terms of a direct response to a non-State actor’s cyber operation.

It is not that a robust response against the non-State actor is unlawful per se under international law. Rather, the legal quandary is how to respond to the non-State actor without violating the sovereignty of the State where that actor is located. There are but three means of doing so in situations short of armed attack. First, the territorial State can consent to the targeted State’s response. Second, the targeted State may, in some circumstances, treat the territorial State as in violation of the due diligence obligation to control activities harmful to other States that emanate from its territory. In response to that “internationally wrongful act,” the former may be entitled to take countermeasures in the form of cyber operations targeting the non-State group; although aimed at the non-State group, the measures would as a matter of law qualify as countermeasures against the territorial State that “preclude the wrongfulness” of the injured State’s violation of sovereignty.

The third possibility is application of the “plea of necessity,” which allows a State to violate obligations owed other States (such as respect for sovereignty) when necessary to forestall “grave and imminent peril” to an “essential interest.” Accordingly, if the non-State actor’s cyber operations are at this level of gravity, the targeted State may respond with measures short of the use of force irrespective of the fact that doing so breaches another State’s sovereignty (or other right). Despite these three limited possibilities, non-State actors enjoy a marked asymmetric advantage in operations below the threshold.

With regard to the law of self-defense, there are two significant challenges posed by asymmetry. The first is that some States and commentators are of the view that the right to respond to an armed cyber or kinetic attack is limited to those conducted by a State (or attributable to one). This position is based on the International Court of Justice’s unwillingness in the Wall advisory opinion and Congo judgment to affirmatively extend the right of self-defense to attacks by non-State actors. In the cyber context, the consequence is that non-State actors enjoy an asymmetrical legal advantage in much the same way that they do with respect to countermeasures in the below-the-threshold setting. Fortunately, this is a minority view and a number of States, including the United States and the Netherlands, have specifically rejected it as to cyber operations.

The second challenge is presented by the so-called “gap” in the law of self-defense. In Nicaragua, the International Court of Justice opined that the threshold at which an action violates international law’s prohibition on the “use of force” is lower than the “armed attack” threshold at which a State may respond with its own use of force. Its distinction between “the most grave forms of the use of force (those constituting an armed attack) [and] other less grave forms” creates a so-called “gap” within which a State subjected to a use of force is not entitled to respond at the same level unless and until it reaches the armed attack threshold. Accordingly, the Court found that arming and training rebels fighting another State’s government constituted a use of force against that State, but was not an armed attack by the State supporting the rebels. By analogy, arming a hacker group with destructive malware and training its members how to employ it against another State may qualify as a use of force, but is not an armed attack. The gap is problematic because countermeasures that rise to the use of force level are not permitted (by the majority view in international law). Thus, the State that engages in a cyber use of force that does not constitute an armed attack enjoys an asymmetrical legal advantage because the targeted State may not respond with its own cyber or kinetic use of force.

The existence of the gap has been rejected by the United States on numerous occasions, including in the cyber context. The United States takes the position that once the use of force threshold is crossed, so too is the armed attack threshold. This view is arguably logical with respect to the classic military dominance the United States enjoys since it allows a response to the actions of other States at a lower level than would be permissible by the gap approach. And, in light of its asymmetrical military advantage, other States are as a practical matter unlikely to respond forcefully to U.S. actions that might themselves cross the use of force (or even armed attack) line.

Cyber operations turn this logic on its head because even weak States can effectively respond by cyber means to U.S. actions that reach the use of force, but not armed attack, threshold. Given the extensive involvement of the United States in cyber activities, it is arguable that its national security interests would accordingly be better served by the gap approach, at least as far as cyber operations are concerned. Of course, with the gap approach, the United States would be barred from responding at the same level to a use of cyber force, but its wherewithal in other realms (diplomatic, economic, technological, etc.) affords it impressive non-forceful countermeasure options that would minimize, if not eliminate, the effect of that proscription.

Finally, international humanitarian law governs cyber operations conducted during an armed conflict when there is a nexus between the operations and the conflict. Asymmetry looms especially large in armed conflict because leveraging asymmetrical advantage is a key objective of most combat operations. Cyber operations serve as a major enabler of asymmetry on the contemporary battlefield.

However, it is difficult to militarily defeat a significantly superior force, even with cyber means and methods of warfare. After all, the more advanced that force, the better its cyber defenses and retaliatory capabilities are likely to be. A weaker force must therefore seek a vulnerable center of gravity other than the enemy’s forces. As recent conflicts in which one side is significantly advantaged have illustrated, the seeming answer for the weaker party often lies in imposing unacceptable costs on an opponent by targeting its civilian population. Examples include sending suicide bombers into crowded areas such as market places and launching rockets against population centers

Cyber operations present uniquely attractive options for targeting the civilians and civilian objects. In particular, a majority of the International Group of Experts involved in the Tallinn Manual process was of the view that a cyber operation against civilian cyber infrastructure is not prohibited unless it affects the functionality of the infrastructure, causes physical damage or injures civilians. Similarly, most of the experts concluded that destroying or altering data in a civilian cyber system does not violate the prohibition on attacking civilian objects unless doing so causes such consequences. Therefore, cyber operations make possible, as a matter of both technical capacity and law, certain asymmetrical operations directed at the civilian population.

More troubling is the reality that militaries and organized armed groups facing superior military forces have shown little hesitancy in violating humanitarian law in order to offset weakness on the conventional battlefield. There is no reason to believe they will not turn to cyber operations to accomplish the same end, particularly since cyber operations offer the prospect of attacking the civilian population in ways that dwarf current practices in terms of scope and severity. For instance, evidence exists that Hamas and Hezbollah are developing the capability to mount such operations against Israel And recall that al Qaeda has conducted cyber reconnaissance necessary to launch attacks on critical infrastructure like dams and electric grids.

Thus, cyber operations not only sometimes offer an opportunity to target civilians and civilian objects lawfully, their asymmetrical advantages can even invite humanitarian law violations. When this occurs, the reciprocity that animates compliance with humanitarian law is weakened. This reality makes it all the more important to dispel impressions that cyber operations, whether during peacetime or armed conflict, occur in a normative void

The views expressed are those of the author in his personal capacity. 

About the Author(s)

Michael Schmitt

Chair of Public International Law at the University of Exeter Law School in the United Kingdom, Charles H. Stockton Professor at the U.S. Naval War College’s Stockton Center for the Study of International Law, Francis Lieber Distinguished Scholar at the U.S. Military Academy at West Point, Director of Legal Affairs for Cyber Law International Follow him on Twitter (@Schmitt_ILaw).