According to the New York Times, the United States is “stepping up digital incursions into Russia’s electric power grid.” The operations involve the “deployment of American computer code inside Russia’s grid and other targets,” supposedly to warn Russia against conducting further hostile cyber operations against U.S. critical infrastructure, and to build the capability to mount its own robust cyber operations against Russia in the event of a conflict. This is not the first time such assertions have surfaced. For instance, in Operation Nitro Zeus, the United States allegedly “bored deeply into Iran’s infrastructure before the 2015 nuclear accord, placing digital ‘implants’ in systems that would enable it to bring down power grids, command-and-control systems and other infrastructure in case a conflict broke out.”
Damaging critical infrastructure is clearly out of bounds as responsible peacetime state behavior and would likely violate international law. But do these types of intrusions – seemingly intended to prepare for future operations or deter them, or both, without causing any actual harm – also run counter to applicable non-binding norms or violate international law during peacetime?
As a domestic law matter, the most recent U.S. operations were mounted in accordance with the 2019 National Defense Authorization Act, which grants the Secretary of Defense approval authority for “clandestine operations” … “to deter, safeguard, or defend against attacks or malicious cyber activities against the United States or Department of Defense information, networks, systems, installations, facilities, or other assets” (see Bobby Chesney here and here). This legislation reflects the Department of Defense’s 2018 Cyber Strategy, as set forth in an unclassified summary of the document.
[T]he Department seeks to preempt, defeat, or deter malicious cyber activity targeting U.S. critical infrastructure that could cause a significant cyber incident regardless of whether that incident would impact DoD’s warfighting readiness or capability. Our primary role in this homeland defense mission is to defend forward by leveraging our focus outward to stop threats before they reach their targets.
On the other side of the equation, Russia has regularly conducted cyber operations against U.S. and European “critical infrastructure,” defined by the Department of Homeland Security as “physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.” The National Information Protection Plan includes “energy” as a “critical infrastructure sector.”
In 2014, for instance, cyber security firms CrowdStrike and Symantec uncovered cyber operations by a group with ties to Russia targeting “hundreds of Western oil and gas companies, as well as energy investment firms,” some of which enabled remote control of the affected cyber infrastructure that would make possible sabotage. They stopped short, however, of actually harming the infrastructure in which they were lurking. Thus, while these operations crossed the line as to norms of responsible State behavior in peacetime, whether they violated international law remains, as discussed below, an unsettled question.
Then, in December 2015, Russia conducted its NotPetya cyber operations against the Ukrainian electrical grid. Going well beyond mere intrusion or probing, they had devastating real-world consequences, including bleed-over effects far beyond that target. It also was around this time that a “Russian hacking unit began targeting critical American infrastructure, including the electricity grid and nuclear power plants,” and, “[b]y 2016, the hackers were scrutinizing the systems that control the power switches at the plants.”
The Russian operations have not abated. In March, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an alert regarding “Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.” According to the alert,
DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).
This month, a joint FBI and Department of Homeland Security report revealed that “since May, hackers have been penetrating the computer networks of companies that operate nuclear power stations and other energy facilities, as well as manufacturing plants in the United States and other countries.” Speculation as to the attacker’s identity has centered on Energetic Bear, a Russian group that has long conducted cyber operations against the energy sector.
Violation of Norms of Responsible Behavior in Cyberspace?
The report on U.S. intrusions into the Russian systems has drawn attention to the risk of escalation. Russia has cautioned that such actions could lead to “cyberwar,” although it claims its systems are not vulnerable. Meanwhile, National Security Adviser John Bolton has warned “We will impose costs on you until you get the point,” while President Trump oddly tweeted that reports that “the United States is substantially increasing Cyber Attacks on Russia” are “NOT TRUE,” labeling the New York Times story “a virtual act of Treason.” Whether the purported U.S. operations will effectively deter cyber attacks against U.S. and allied critical infrastructure or instead have an escalatory effect remains to be seen. Whatever the case, the accompanying rhetoric is cause for concern.
More to the point, do cyber operations into critical infrastructure abroad violate the rules of the game for cyberspace? To begin with, they are inconsistent with accepted “norms of responsible State behavior.” For instance, the DoD Cyber Strategy summary notes that “[t]he United States has endorsed the work done by the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UNGGE) to develop a framework of responsible State behavior in cyberspace. The principles developed by the UNGGE include prohibitions against damaging civilian critical infrastructure during peacetime.” Earlier, in its 2014 submission to the GGE, the United States similarly took the position that “[a] State should not conduct or knowingly support online activity that intentionally damages critical infrastructure or otherwise impairs the use of critical infrastructure to provide services to the public.”
This position has been echoed repeatedly by other States. The GGE, including representatives of all five Security Council permanent members, observed in its 2015 report (which was endorsed by the General Assembly) that “[t]he most harmful attacks using ICTs [information and communications technologies] include those targeted against the critical infrastructure and associated information systems of a State. The risk of harmful ICT attacks against critical infrastructure is both real and serious.” It went on to contend that “[a] State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public” and that States should assist other States that are the target of such operations.
These points were repeated in the 2017 G7 Declaration on Responsible States Behaviour in Cyberspace. The following year, Australia, Canada Chile, Estonia, Japan, the Netherlands, New Zealand, the Republic of Korea, and the United Kingdom emphasized in a Joint Statement on Information and Telecommunications in the Context of International Security that,
Despite the international legal framework governing State behaviour in cyberspace, many States, either directly or through proxies and non-State actors, undertake malicious cyber activity directed at the essential systems, infrastructure and democratic processes of other States. Such behaviour threatens international peace and security, undermines the rules-based international order on which we all rely for our security, and imperils the benefits that arise from the development of cyberspace.
States undertaking these acts do so with flagrant disdain for their obligations, for norms of appropriate behaviour and with reckless disregard for the consequences.
Of course, whether intruding into another State’s critical infrastructure in an effort to deter the target State’s malicious activities, or to prepare for future conflict with that State, violates this norm of responsible State behavior is an open question over which reasonable people may disagree. It would seem clear that the answer is best crafted on a case-by-case basis, with a difficult to rebut presumption that cyber operations involving critical infrastructure are off the table due to their escalatory potential.
Violation of International Law?
Whether cyber operations against another State’s private or public infrastructure are lawful is a different, and very complex, question. For instance, although the United Kingdom labeled the NotPetya operations as unlawful, it failed to set forth the legal basis upon which it based that conclusion (which is complicated by the on-going armed conflict between Russia and Ukraine).
The question is especially difficult to resolve when the cyber operations stop short of causing damage or interfering in, or usurping, inherently governmental functions, for these are generally accepted situations qualifying as a violation of sovereignty. Two issues in particular merit further analysis.
First, although there anecdotally appears to be widespread agreement that a remotely conducted cyber operation by, or attributable to, another State is a violation of the latter’s sovereignty if damage or relatively permanent loss of functionality occurs, there is no agreement as to operations falling short of these consequences. Indeed, the experts who prepared Tallinn Manual 2.0 considered the issue of placing malware into another State’s cyber infrastructure, but could achieve no consensus on the matter.
The better view is that an operation in which remotely emplaced malware capable of having destructive or significantly disruptive effects on critical infrastructure but not yet triggered is a violation of the target State’s sovereignty. After all, sovereignty is largely territorial in character. In these cases, harmful code resides in cyber infrastructure located in the target State’s sovereign territory contrary to its interests and without its consent. The fact that the malicious code may risk potentially calamitous effects on the operation of critical infrastructure provides further practical support for this view. In fact, if its presence is known to the territorial State, the power grid or other infrastructure may in effect be compromised, for that State would be uncertain about projecting the power supply, might need to build in redundancies, or take other measures to mitigate the risks posed by the malware. Nevertheless, it must be conceded that the matter will not be settled until States set forth their positions on how the rule of sovereignty is to be interpreted in the cyber context.
Second, a little over a year ago, the United Kingdom, in an address by its Attorney General at Chatham House, rejected the premise that sovereignty is a rule of international law that can be violated by cyber operations. Unfortunately, the United Kingdom has provided no legal rationale for the conclusion, one that appears to fly in the face of extensive State practice, judicial treatment and scholarly opinion. To date, no other State has endorsed the British position. However, the consequences of adopting the position are significant.
In the absence of a rule of sovereignty (or even in the presence of a rule but with a high threshold for what type of cyber activity constitutes a sovereignty violation, as in limiting violations to operations that cause physical damage), States will generally be free to implant harmful malware in the private or public cyber infrastructure of other States so long as the immediate consequences of the operation are not, as explained below, extremely severe. It does not matter whether the operation is inspired by deterrent purposes or is malevolent; by the UK interpretation, motive has no bearing on the lawfulness of such operations. This reality should cause States to pause uncomfortably before adopting the same position.
Beyond the prohibition of sovereignty, emplacement of malware that has not been activated would not amount to intervention into the internal or external affairs of another State because the action would usually lack the element of coercion, which, as noted by the International Court of Justice in Nicaragua, “defines, and indeed forms the very essence of, prohibited intervention.” In other words, emplacement of malware generally is not designed to deprive the target State of any particular choice. Moreover, to constitute intervention, the coercive cyber operations must be designed to affect the target State’s choice with respect to its domaine réservé, that is, activities left by international law to the State to regulate, such as elections, taxation or the conduct of its foreign policy. There is no indication that any of the operations in question were intended to do so.
Nor does mere emplacement of malware, even in critical infrastructure, rise to the level of a prohibited use of force in violation of Article 2(4) of the UN Charter and customary international law. As with the rule of sovereignty, there is uncertainty regarding the threshold at which the prohibition is breached by a hostile cyber operation. Certainly, those that cause physical damage or injury (beyond a de minimus level) would reach that threshold. Arguably, so too would cyber operations having severe consequences, such as a cyber attack with devastating effects on a nation’s economic system, although this remains an open question among States.
Yet, it is crucially important that in the case of the malware emplacement, no consequences manifest at all. The malware remains in the control of State implanting it; that State may choose to never activate it (thereby distinguishing it from, for instance, the use of naval contact mines or laying landmines). Of course, if activated, the malware could generate effects that would constitute a use of force. Indeed, depending on the severity of the consequences, the right of self-defense might be triggered and an international armed conflict to which international humanitarian law rules apply could be initiated (raising interesting questions as to indiscriminate attacks, proportionality and reprisals that are beyond the scope of this discussion). But until that occurs, the prohibition on the use of force will not have been violated.
This begs the question of whether cyber operations that implant harmful malware for future use (as distinct from that used solely for espionage) may be justified as a response to such operations by another State. If sovereignty is not a rule of international law, then responding in kind is permissible. The response would constitute an act of retorsion that need not be justified by any ground precluding wrongfulness under the law of State responsibility. However, the original target State would not be entitled to take non-cyber countermeasures (otherwise unlawful actions or omissions) since countermeasures must be in response to an internationally wrongful act.
Alternatively, assuming that cyber operations implanting harmful malware violates sovereignty (the legally sounder position), a response in kind would need to qualify as a countermeasure under the law of State responsibility to be lawful. The requirements for countermeasures have been set forth by the International Law Commission in its Articles on State Responsibility, which are generally considered to reflect, in great part, customary international law. The key requirement is that the “injured” State’s countermeasure be intended to convince the “responsible” State to desist in its unlawful activities, in this case the emplacement and continued presence of the malware. Countermeasures are also permissible to secure assurances, guarantees or reparations. The option of taking countermeasures to secure guarantees is particularly important, for a guarantee may take the form of neutralization or removal of the malware in question by the responsible State. Additionally, countermeasures may not be anticipatory in character (unlike self-defense), must be proportionate to the unlawful act to which they respond, and must not constitute a use of force.
With respect to the ostensible U.S. malware emplacement operations, developing a capability to conduct operations in the future in the event of conflict would not satisfy the requirement that the purpose of a countermeasures be to cause the responsible State to cease its unlawful conduct; nor would attempting to deter future operations by Russia, for doing so would be anticipatory in character. However, it may be argued that Russia is engaged in a continuing unlawful course of conduct such that countermeasures designed to put an end to the ongoing campaign against U.S. cyber infrastructure are lawful. Because the U.S. operations are in-kind and against cyber infrastructure of the same type that has been targeted by the Russians, the requirement of proportionality would appear to be met.
It should be noted that the Articles on State Responsibility suggest that an injured State must notify the responsible State prior to conducting a countermeasure in order to give the latter an opportunity to cease its unlawful conduct. The United Kingdom has rejected this requirement in the cyber context, and rightly so, for advance notification could reveal highly classified capabilities and/or enable the responsible State to defeat the cyber countermeasure. It would seem clear, however, that the responsible State would have to be made aware of the fact that a countermeasure is underway in response to its unlawful action so that it understands it needs to desist. This might explain the apparent willingness of U.S. officials to allow the New York Times story to be published. It could also simply be an attempt to demonstrate capabilities, but these two rationales for revealing the U.S. hand are not mutually exclusive.
Other means of responding to internationally wrongful cyber operations include action pursuant to the plea of necessity under the law of State responsibility and self-defense in accordance with Article 51 of the UN Charter and customary law. Neither is applicable in this case for there is no indication that activation of any of the cyber capabilities that have been implanted is underway or imminent, a condition precedent for both responses.
So, are the alleged U.S. operations appropriate and lawful? They are arguably lawful, either on the basis that there is no rule of sovereignty for them to violate or because they can be styled as countermeasures in the face of an ongoing cyber campaign against U.S. critical infrastructure, the latter being the better legal justification.
But the first justification is problematic as a practical matter. If there is no rule of sovereignty, the gloves are off. States will inevitably conduct cyber operations that seem to the target State to demand a response and the cyber operations of both sides will risk misunderstanding and escalation. Cyberspace resultantly will become an increasingly dangerous domain of conflict, one rife with instability. Those States that embrace minimalist legal standards or normative ambiguity as affording them freedom of action to defend their national interests are badly misguided, for international law and agreed non-binding norms have long proven a stabilizing force in international relations. If the rule of sovereignty exists, however, as it almost certainly does, States will enjoy the deterrent benefits of international law while retaining the right to respond as necessary to hostile cyber operations by other States.
This leaves the question of whether operations implanting destructive or disruptive capabilities into another State’s critical infrastructure is ever a responsible measure to take, especially in the face of widespread denunciation of cyber operations affecting that infrastructure and the attendant risk of escalation. And if deterrence is the objective, the emplacement of malware in critical infrastructure upon which the civilian population depends smacks of countervalue targeting during the nuclear era, which rightfully raised important moral issues, and, should it ever have taken place, would have shaken the international law governing conflict to the core. The decision to engage in the practice is one that States must not take lightly.