I had the privilege of speaking at U.S. Cyber Command’s Legal Conference earlier this week. I thought to write up for Just Security, in a more developed form, one of the topics that I raised briefly in my remarks.
A widely accepted view of the UN Charter is that a State can use force in self-defense only in response to an “armed attack,” which is importantly defined as the gravest forms of force in scale and effects. In contrast, the United States has long maintained that a State can use force in self-defense in response to any amount of force by another State. The U.S. view might have worked well when it came to bombs and battleships. There are reasons, however, to think that the application of the U.S. view in the cyber realm may risk unintended, accidental, and unnecessary militarized conflicts. That’s partly because of the uncertainty of the law in cyberspace and partly because of the uncertainty of facts when cyber operations occur.
The U.S. position, one might think, reduces the overall risk of militarized conflicts between States. One reason to recommend the U.S. view is that it might enable a government to prevent escalation—for example by using cyber-ops to impede another State’s test missiles—in response to the latter’s low-level uses of force, and thus buy more time for diplomacy to avoid a larger battle. What’s more, if a State’s hands are tied such that it cannot use force to respond to a low-level use of force by an aggressor, it will put pressure on governments to expand what is meant by an “armed attack,” which has potentially dangerous precedential effects in the future. Those concerns, however, may not be as relevant for the United States, which, above and beyond other States, has a broader range of potential diplomatic, economic, and other non-forcible, non-military means to defend its interests.
More important is deterrence. In favor of the U.S. view of the law is that a lower threshold for triggering the right of self-defense can deter aggressors from acting in the first place. In terms of defensive posture, the United States deters others who know that the American military can use its mighty arsenal in response to any illegal use of force. That empirical claim, however, is weaker in a world in which States very frequently engage in low-level uses of force in cyber, or might be thought to have done so by their adversaries. In that world, many States will have the legal right to use force in self-defense against others on an ongoing basis. Also, consider the U.S. offensive posture. The greater extent to which the United States, in particular, is engaged in cyber activities across the world that will be considered a use of force by other States, the greater license the United States may be handing those States to use force—whether in the cyber or kinetic realm—in response. That is, if those States adopt a view similar to the United States that “the inherent right of self-defense potentially applies against any illegal use of force.”
It may have been more satisfying to the United States to operate in world in which it maintained the legal prerogative to adopt a forcible response in reaction to any illegal use of force while other States did not maintain that position. Our legal world may be changing, however. Witness, for example, Japan’s recent shifts toward the U.S. position. Taken in light of Mutual Defense Agreements, in which the United States has accepted an obligation to support other States who have been subject to an “armed attack,” and the kinds of calculations of what makes the world safer and better protects U.S. national security must surely shift. More specifically, if more U.S. allies start moving toward the U.S. view of “armed attack,” the United States may be drawn into far-flung cyber conflicts as an unintended consequence.
Now add to this mix the legal uncertainties that exist in this specific area of cyber law. The legal definition of what exactly is a use of force in the cyber realm is far less settled than in the kinetic realm. What’s more, it is safe to assume that several States around the world are frequently engaging in actions that others might consider a use of force. Is the laying of specific types of malware on the systems of another State in preparation for possible future activation analogous to laying landmines in another State’s territory? The Tallinn Manual’s definition of cyberattacks (at least in the context of jus in bello) may lead one to think so, but widespread State practice would appear to contradict that conclusion. So which is it? Also, could the alteration or destruction of data count as a use of force or attack? This is an area where views are developing in one direction, but what happens in the limbo period between now and then, when some States and legal authorities hold one view and others hold different ones? That seems like a dangerous period for calibrating the use of force in cyber. And those are just two examples of legal uncertainties out of many that one could describe.
These types of legal uncertainties are compounded by factual uncertainties in the cyber realm. While the United States appears to have an increasingly impressive ability to determine attribution, many other States lack that sophistication and are thus more likely to make costly errors. State D may mistake a cyber operation launched by a rogue hacker or organized non-State group operating out of country Y as being perpetrated by State Y itself. And governmental or non-governmental cyber hackers in a third country may very purposefully make it look like State Y conducted a cyberattack. Another difficulty in the cyber realm is determining whether certain effects of a hostile cyber operation were intended by the attacker. For example, State D may detect an imminent threat of malware in its systems that appears would at least temporarily compromise its most sensitive military arsenal—but is that what the perpetrator intended (and how, as a legal issue, should that question of intentionality matter)?
In cyberspace, many of these actions and interactions will take place at greater speeds thanks, in part, to artificial intelligence. These conditions may shrink the window of time for political and military leaders to make decisions, and place pressure on them to pre-authorize or create automated responses. It is not hard to imagine tit-for-tat uses of force quickly ascending a ladder of escalation. And there is no legal reason the rungs of that ladder will remain confined to the cyber realm.
I have not here, nor more generally in my own thinking, addressed all the factors that favor the U.S. view of self-defense in cyberspace. A prudential course of action is to consider the potential empirical effects of the U.S. view of the right to self-defense and how those effects may be significantly different specifically in cyberspace. We should also consider the effects of the U.S. view during this limbo period in which legal uncertainty and factual uncertainty remain at such high levels.