The Right Honourable Jeremy Wright’s recent remarks at Chatham House on Cyber and International Law in the 21st Century added a welcome dash of color to the otherwise gray zone of cyberspace. While full-HD resolution may still be in the offing, this all-too-rare official pronouncement of opinio juris reinforces the baseline maxim that existing international law applies to states’ activities in cyberspace and provides some needed clarity on how certain key provisions of international law govern interstate relations at and below the threshold of armed conflict. As the Attorney General notes, the efficacy and resilience of the international rules-based order depend on states’ being open and clear about their understandings of, and commitment to international law. Just as important is his reminder that international law is not static and if it is to remain relevant must “adapt to meet the particular demands” of the modern world and the unique security threats that cyberspace presents. In this regard, his pronouncements on the applicability of the jus ad bellum and the principle of non-intervention to cyber operations, the normative role sovereignty plays in cyberspace, and the substantive requirements of countermeasures are important contributions to advancing understandings of international law’s role in regulating states’ use of this emerging technology. In this post we offer comment on the first two points. We will address the Attorney General’s important statements on sovereignty and countermeasures in a follow-on post.
For a growing number of states, cyber operations are now firmly ensconced as a means of conducting traditional and not-so-traditional statecraft, to include conflict. Cyberspace has delivered tremendous benefits, but its unique construct and ubiquity have also created significant national security vulnerabilities, generating unprecedented challenges to the existing framework of international peace and security. One need look no further than North Korea’s destructive and subversive actions against Sony Pictures, its launch of the Wannacry ransomware, Russia’s launch of the indiscriminate NotPetya malware against the Ukraine, or its cyber-enabled covert influence campaigns against the U.S. and other western democracies to realize that cyber capabilities are increasingly part of a powerful arsenal states are using to pursue their interests, oftentimes through aggressive actions aimed at disrupting the status quo. As the recently released Command Vision for US Cyber Command recognizes, the emerging cyber-threat landscape is marked by adversary states engaging in sustained, well-constructed campaigns to challenge and weaken western democracies through actions designed to hover below the threshold of armed conflict while still achieving strategic effect. And as the Cyber Command Vision also makes clear, passive, internal cyber security responses have proved inadequate, ceding strategic initiative and rewarding bad behavior.
The UK’s position on this is point is now clear: Both in peacetime and in conflict, states cannot engage in hostile cyber campaigns free of consequence. “States that are targeted by hostile cyber operations have the right to respond to those operations in accordance with the options lawfully available to them and that in this as in all things, all states are equal before the law.” Actively contesting adversaries in and through cyberspace must form a key component to any strategy aimed at defeating these threats and reinforcing norms of acceptable and unacceptable state behavior. The Attorney General’s remarks implicitly, if not explicitly, recognize that international law must take account of this increasingly evident reality.
At the same time, not all unfriendly or even prejudicial actions by one state against another constitute breaches of international law, whether effected through cyberspace or otherwise. Understanding the line between internationally wrongful and permissible cyber operations is therefore critical to framing legitimate cyber strategies and response actions. The customary laws of state responsibility provide the start point for properly analyzing and characterizing these malicious cyber activities and the response options available to victim states.
The customary law of state responsibility, reflected in much of the International Law Commission’s Articles on the Responsibility of States for Internationally Wrongful Acts, holds that states are legally responsible for acts or omissions that are both attributable to them and that constitute a breach of an international obligation of the responsible state. Where these constituent elements are met, victim states have recourse to a range of remedies, to include certain self-help measures that themselves would otherwise be considered breaches of international law. A victim state’s use of force in response to an imminent or actual armed attack by another state being a case in point.
The Attorney General’s remarks are a welcome contribution to advancing the understanding of the state-responsibility framework and its application to state-mounted cyber operations. Four points are of particular importance. First is the Attorney General’s affirmation of the generally accepted view that the jus ad bellum governs states’ activities in cyberspace. Second is his recognition that considering the novel vulnerabilities attendant to new technologies, the rule of non-intervention has taken on new importance. Third is the U.K.’s emphatic rejection of the assertion that, beyond the jus ad bellum and the rule of prohibited intervention, international law includes a primary rule of territorial sovereignty that would bar cyber activity. Last is the Attorney General’s recognition that the extant law of countermeasures must adapt to the realities of cyberspace and the unique nature of the threat. For now, we limit comment to the first two of these important points.
The Jus ad Bellum
While important, the AG’s reaffirmation of the applicability of Articles 2(4) and 51 of the UN Charter to state actions in cyberspace is perhaps the least remarkable aspect of his speech. Notwithstanding some retrogression in the last round of the UNGGE, by and large states have accepted this view. Other than intimating that attacks such as Wannacry that target essential medical services might trip the armed attack threshold, his remarks avoid edge cases. The high level of destruction attendant to the Attorney General’s hypothetical examples that would qualify them as armed attacks are clear cases and consistent with views presented in the DoD Law of War Manual as well as Tallinn 2.0. While this will leave some critics unsatisfied, perhaps their expectations are unreasonably high.
Given the spate of malicious cyber operations mounted over the last few years, especially Russia’s aggressive activities, calls for action are reaching a crescendo. Recent reports of Russia’s hacking of U.S. energy and other critical infrastructure and the poisoning of Sergei Skripal and his daughter in the UK will only add to the pressure to respond. Whether and how to hold states like Russia accountable for such actions is ultimately a political question. And while it is certainly a fair and relevant question whether Russia’s actions, individually or taken together, rise to the level of a use of force or armed attack in violation of the U.N. Charter, it is not one likely to yield a satisfying answer.
Greater understanding of the use-of-force and armed attack legal triggers and how they apply to cyberspace is, of course, vital to evolving and strengthening the international rules-based order, and perhaps to deterring malicious cyber operations. However, in the absence of physical harm to individuals or tangible things, there is little consensus on whether or how cyber operations might constitute breaches of these rules. Further, the prevailing view is that most, if not all, documented cyber actions taken by states to date have fallen below the “use of force” threshold. More important, in the absence of political will to use armed force in response to Russian election interference or other malicious cyber actions, the question of whether a cyber operation might constitute an unlawful use of force or armed attack is at best one of limited utility.
In light of the lack of certainty as to how international law applies to cyber and information operations below the threshold of armed conflict, and the obvious brazenness with which Russia has operated to date, the visceral “casus belli” reactions are understandable. Unfortunately, from the perspective of sound policy and strategy development, framing the question in the dichotomy of war and peace is not particularly helpful and perhaps even counterproductive for at least two reasons. First, such reactions are based on a dangerously flawed premise—that armed conflict can be legally or factually confined to the single operational domain from within which it is initiated. That’s not so as militarized conflict in the cyber realm can easily trigger actions and reactions in the kinetic realm. The so-called and oft invoked “cyber war” is simply a misnomer. Second, the gap between such rhetoric and inaction only serves to amplify the costs some, like Jack Goldsmith, have identified and risks distorting policy discussions.
That, of course, does not mean that a victim state is left without options. For example, the U.S. has made use of a mix of sanctions and other diplomatic responses, all in the category of retorsions. However, as both the former and current Commanders of Cyber Command have testified before Congress, none of these prior responses seems to have been effective in stopping or deterring Russia or other adversaries like China, the DPRK, or Iran, from continuing to push boundaries and engage in malicious cyber operations. Retired General Michael Hayden echoes this assessment and calls for “a legal and policy zone that authorizes robust, sometimes destructive responses, well above normal peacetime competition but below what we would define as the threshold of conventional conflict and open interstate war.” Absent Security Counsel authorization, the legal zone he seeks per force rests on a predicate finding that Russia has violated international law which would preclude the wrongfulness of the countermeasures he alludes to. Greater clarity on the international rules governing these more pervasive sub-use-of-force cyber operations is therefore of much greater value to reinforcing the international rules based order than continued focus on jus ad bellum thresholds. It is here that the U.K. Attorney General’s remarks offer the greatest elucidation.
The customary international law rule that some sub-use-of-force interventions into the sovereign affairs of another State are considered internationally wrongful is also well established. The Attorney General’s affirmation of the non-intervention rule’s applicability to cyberspace and the concomitant implication that violations trigger a state’s right to employ countermeasures in response is an important contribution to buttressing the normative framework governing state behavior below the level of a use of force. The prohibition on intervention protects against certain impairments of a state’s sovereignty below the threshold of a use of force, and the Attorney General is correct to note the rule’s “particular importance in modern times when technology has an increasing role to play in every facet of our lives, including political campaigns and the conduct of elections.” At the same time, not all infringements on the sovereign interests of another state fall within the scope of the rule, and the Attorney General is also correct to note that the precise boundaries of the interests protected by the rule as well as the nature and scope of conduct it proscribes remain the subject of debate. However, beyond offering some examples as self-evident violations, including an interesting assertion that cyber operations aimed at destabilizing the UK’s financial sector would qualify, the speech unfortunately misses an opportunity to better illuminate the UK’s views on the vague language of the International Court of Justice’s Nicaragua decision so often cited as defining the rule’s elements, or how those elements might be adapted to account for the modern exigencies of cyberspace. In the meantime, greater insight into the non-intervention framework will have to be found elsewhere.
Citing the Nicaragua decision, the rule is generally described as prohibiting forcible, dictatorial, or otherwise coercive measures against a relatively limited but important zone of sovereign interests falling within what is commonly referred to as the state’s domaine réservé. The domaine réservé is generally understood to refer to those matters reserved in international law to the sole prerogative of states, matters such as the right to choose a political, economic, social, and cultural system, and to formulate and execute foreign policy. As noted in Tallinn Manual 2.0, a state’s choice of both its political system and its organization is a “matter most clearly within a State’s domaine réservé,” and coercive actions that deprive or substantially impair a State’s freedom of choice—for example over the democratic selection of its political leaders—by forcing it to take or refrain from taking an action against its will, are prohibited. In this, the Attorney General’s remarks are entirely consistent with prevailing views.
Unfortunately, as David Jens Ohlin notes, “despite the patina of precision in its French rendering, the concept [of domaine réservé] has little internally generated content.” Nor is the concept without limits. Those “domains or activities” not strictly reserved to states fall outside of the rule’s zone of protected interests—for example purely commercial activities and matters otherwise subject to international legal regulation. Like international law itself, the concept of domaine réservé is of necessity malleable and subject to evolution over time. Notwithstanding, a more precise articulation of the boundaries between protected and unprotected interests would better serve international peace and security by placing states on greater notice of the areas of interference most likely to generate legal consequence and potentially escalatory responses.
In even greater need of clarification, and perhaps evolution, is the element of coercion. As others have pointed out, overly rigid interpretation and application of the ICJ’s description of this element leaves unacceptable leeway to aggressor states. We submit that the ICJ’s framing of prohibited intervention solely in terms of coercion was imprecise and, when applied dogmatically, fails to capture significant modes of state action that could be considered internationally wrongful.
By definition, coercion involves an element of force or the threat thereof to achieve an intended result. As set out in the Nicaragua decision, there is no question that use of a level of force violative of Article 2(4) would constitute the “lesser-included offense” of prohibited intervention. However, leaving aside debates about the existence of a force gap between uses of force and armed attacks, in this sense the prohibition adds little if anything to the jus ad bellum framework set out above. For the prohibition to have any true normative effect below the use-of-force threshold, the ICJ’s recitation of the actus reus element of the prohibition must be understood as encompassing more than forceful deprivations. Its scope must be understood to encompass actions involving some level of subversion or usurpation of a victim state’s protected prerogatives, such as the delivery of covert effects and deception actions that, like criminal fraud provisions in domestic legal regimes, are designed to achieve unlawful gain or to deprive a victim state of a legal right. For example, covertly disseminating on the eve of an election false information that a candidate for office had dropped from the race would likely deprive the victim state of a free and fair electoral process without using coercion in the most common senses of the term.
As Steven Barela argues, perhaps better understanding of the rule’s force and effect as applied to cyber operations can be found in an unlikely source—the Special Counsel’s indictment of the thirteen Russians and three Russian organizations. In essence, the Mueller indictment reveals a compelling exposition, albeit in the vernacular of U.S. domestic law, of a prohibited intervention into the U.S. electoral process, the overall gravamen of the indictment being that the Russians’ “knowingly and intentionally conspired . . . to defraud the United States by impairing, obstructing, and defeating the lawful functions of the government through fraud and deceit for the purpose of interfering with the U.S. political and electoral processes . . .” The rich set of facts of intervention set out in the indictment are only buttressed by the Intelligence Community’s report on Russia’s influence campaign targeting the 2016 election and its attribution to Russia of the DNC hack.
Professor Michael Schmitt, who led both Tallinn Manual processes, points to the link between a domestic crime and an internationally wrongful act of intervention, arguing that “when you engage in what is a domestic crime to distort the electoral process, then in that case you are intervening in the internal affairs of another state.” The connection Schmitt draws between the domestic crime committed and the principle of unlawful intervention reinforces the instructive value of the Mueller indictment for international law. According to Paragraph 28 of the indictment, the “conspiracy had as its object impairing, obstructing, and defeating the lawful government functions of the United States by dishonest means in order to enable the Defendants to interfere with the U.S. political and electoral processes, including the 2016 U.S. presidential campaign.” Against the backdrop of the U.S. Government separately attributing the election meddling to Russia and the IC’s assessment that Russia’s harmful activities are ongoing and aimed at impacting the 2018 mid-term elections, the charge of conspiracy to impair lawful government functions by means of fraud and deceit seems a clear case of prohibited intervention in violation of international law.
The Attorney General calls for states to accept the responsibility to be clear about how international law obligations bind them. In this regard, perhaps his speech could have done more to clarify the scope of the jus ad bellum and the non-intervention rule as applied to state activities in cyberspace. Nevertheless, his declaration of the UK’s view on the applicability of these baseline obligations is an important contribution to greater transparency and understanding of the normative structure surrounding this new technology. With respect to other aspects of international law as applied to cyberspace, namely sovereignty and countermeasures, Mr. Wright’s statement adds considerably more. But that is for our next post.
The views expressed are those of the authors and do not necessarily reflect the views of the United States Cyber Command, the Department of Defense, or the U.S. Government.