Last Wednesday, reports surfaced that the U.S. aircraft manufacturer Boeing had been hit by a serious ransomware attack. A leaked internal memo suggested that some production equipment at Boeing might have been disabled as a result of the cyber operation. The memo even called for “All hands on deck” to contain the threat, piquing the interest of the national and global media, which then climaxed after “some Boeing executives” identified the cyberattack as the infamous WannaCry virus that had affected more than 230,000 machines in over 150 countries last year.
As is customary in today’s society marked by the 24-hours news cycle and the rapid exchange of information on social media, an array of speculations soon followed. It was said that the attack may impact the production of the already severely delayed KC-46 Pegasus military aircraft. Others have wondered whether the timing of the incident immediately following the announced closure of the Russian consulate in Seattle might have suggested Russia’s involvement. By that point, all the ingredients for a potent international political and legal crisis had been properly mixed up, stirred, and starting to simmer.
However, the facts that have emerged in the meantime paint a slightly different—and less alarming—picture. Wired cited cyber security specialists according to whom an infection by WannaCry was unlikely given that the malware had effectively been neutered after Marcus Hutchins, a British researcher, found a “kill switch” stopping the spread of the virus. Moreover, regular readers of Just Security do not need reminding that several countries including the U.S. attributed the WannaCry cyberattack to North Korea, not Russia. For its part, Boeing claimed that the malware intrusion was limited and that, in any event, it was “not a production or delivery issue”. Speculations about the potential effect on the U.S. weapons production or about any links to Russia have since died down.
Yet, the factual pattern of the incident highlights an underappreciated question for international lawyers: Under what circumstances does a cyberattack against a private company violate states’ obligation not to intervene in other states’ affairs (the principle of non-intervention under international law)? Below, I examine this question along with some of the wider implications of the analysis which illuminate the vital role of international law in preventing escalation of inter-state tensions.
Intervention and Cyber Operations
The principle underpinning the customary duty of non-intervention has been authoritatively described by Vaughan Lowe, professor of international law at Oxford University, as “one of the most potent and elusive of all international principles”. Although some of the elusiveness of the principle cannot be denied, the core of the duty is uncontroversial. As the International Court of Justice (ICJ) held in its landmark judgment on the merits in the 1986 case Nicaragua v US (at para. 205):
A prohibited intervention must … be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of a political, economic, social and cultural system, and the formulation of foreign policy. Intervention is wrongful when it uses methods of coercion in regard to such choices, which must remain free ones.
Two elements follow from this understanding. The first is that in order for an act (a term that is wide enough to include a cyber operation) to qualify as prohibited intervention, it must bear on those matters in which states are allowed to decide freely. As the ICJ ruling makes it clear, the spectrum of such issues is particularly broad and it includes choices of political, economic, social, and cultural nature. Therefore, states’ sovereignty also extends to choices they make as to their national defense and security, issues that are at the core of states’ exclusive prerogatives.
It is of no consequence that states may outsource the implementation of these determinations to private contractors, for instance by commissioning an aircraft manufacturer like Boeing to develop a military refueling and transport aircraft. Similarly, the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations notes that “[i]ntervention … need not be directed at State infrastructure or involve State activities”; what matters is whether the cyber operation in question was designed to impair on the state’s sphere of protected internal affairs. Hence, if a cyber operation against a private actor was intended to derail the production of military equipment of a state, it would satisfy the first element of a prohibited intervention.
The second element of the legal test confirmed in Nicaragua is that the act in question must be coercive in nature. It should be noted that many forms of conduct by states “touch the affairs of another state”: in Oppenheim’s International Law, Sir Robert Jennings and Sir Arthur Watts QC give a number of examples that include the recognition of governments, various types of international co-operation, or lodging protests against alleged violations of international law. However, none of those amount to intervention, because they are not coercive (i.e., forcible or dictatorial) in nature.
There is no generally accepted definition of “coercion” in international law. However, in the cyber context, the Tallinn Manual 2.0 helpfully suggests that coercion “refers to an affirmative act designed to deprive another State of its freedom of choice, that is, to force that State to act in an involuntary manner or involuntarily refrain from acting in a particular way”. As the Manual goes on to explain later on in the text, the “key is that the coercive act must have the potential for compelling the target State to engage in an action that it would otherwise not take (or refrain from taking an action it would otherwise take)” (italics mine).
In the present context, it appears that the U.S. has not been compelled to change any course of action in its protected sphere of conduct. However, let us suppose for a moment that a malicious cyber operation targeted against a private contractor like Boeing would indeed significantly impair its ability to supply crucial military equipment to a state. Suppose further that, as a result, the state in question would be forced to adopt alternative means of meeting its national security priorities, suffering considerable additional expense and/or delays in the process. If that were the case, the second element of the said legal test would also be fulfilled, and the operation as a whole would constitute prohibited intervention.
Attribution, Countermeasures, Escalation
What are the implications of this analysis? Crucially, any reliance on this reasoning would still need to get over the hurdle of attributing the operation in question to an outside state. It may well be that the design, proliferation, and implantation of viruses like the one that affected Boeing last week are all done by private hackers. In that case, a sufficient link between the non-state actor and the alleged responsible state still needs to be found. As I have argued elsewhere, shared goals and other horizontal forms of collusion between such parties do not suffice for this purpose; instead, a subordinate relationship between the state and the private actor must be established (at pp. 426–27).
However, once the uncertainty as to the actual originator of the operation has been resolved, its qualification as prohibited intervention, and thus an internationally wrongful act, has important consequences under international law. The foremost among them is that the injured state becomes entitled to take steps to vindicate its rights and restore the relationship between the two states from before the breach. In particular, the injured state (but not the victim company on its own accord) is now permitted by law to engage in otherwise unlawful conduct against the responsible state in order to induce the latter to comply with its obligations—in other words, it may take countermeasures against the responsible state.
International law prescribes strict conditions for countermeasures to qualify as permissible. A non-binding compilation of the law of state responsibility issued by the International Law Commission (ILC) in 2001 dedicates no less than seven provisions (Articles 22 and 49–54) to the matter. Central among them is the requirement of proportionality: any action taken “must be commensurate with the injury suffered, taking into account the gravity of the internationally wrongful act and the rights in question” (Article 51). However, there is no “in-kind” requirement under the law of countermeasures. This means, in Eric Jensen’s words, that “a State can respond to a non-cyber violation with a cyber countermeasure, and to a cyber violation with a non-cyber countermeasure” (at p. 20).
Accordingly, international law permits a state whose weapons production was targeted through a cyber operation attributable to another state to respond with a “hack back” or other available non-cyber countermeasure against the responsible state. However, a word of caution is in order. As the author of the “All hands on deck” memo would likely agree now, one should be judicious in assessing the facts before taking any action directed towards the outside world. In that regard, the ILC commentary warns that a state that resorts to countermeasures “acts at its peril”, and if it incorrectly attributes the antecedent cyber operation to another state, it may itself incur responsibility for its own wrongful actions (para. 3 of the commentary to Article 49). Beyond its immediate application to the last week’s “Boeing hack”, the analysis thus also demonstrates how international law plays an essential de-escalatory role in inter-state relations.
Photo by Stephen Brashear/Getty Images