On June 11, 2019, White House National Security Adviser John Bolton announced that U.S. offensive cyber operations would be expanded beyond countering election interference to encompass economic cyber intrusions. He remarked that the United States is “now looking at — beyond the electoral context — a whole range of other activities to prevent this other kind of cyber interference … in the economic space, as well.” His comments were aimed squarely at China, who U.S. government officials have accused of engaging in cyber operations to remotely gather sensitive information from U.S. corporate entities and to steal or exfiltrate data, including intellectual property. These economic cyber intrusions have had the effect of “degrad[ing]… U.S. operational and technological advantages.” And China’s proficiency at and utilization of these techniques is stated to be increasing.
According to U.S. Military doctrine, “offensive cyberspace operations” are operations “intended to project power by the application of force in or through cyberspace.” They will seemingly be deployed according to the U.S. Department of Defense’s much vaunted 2018 Cyber strategy. That strategy is anchored around the concepts of “defending forward,” which describes the conduct of operations inside adversary networks to “stop threats before they reach their targets,” and “persistent engagement,” which denotes the continuous confrontation of adversaries throughout cyberspace in order to gain operational advantages while denying such advantages to those adversaries. Examples of these concepts in practice include Operation Synthetic Theology, an operation to disrupt Russian efforts to interfere in the 2018 midterm elections, and more recently reported incursions into the Russian power grid and Iranian missile systems.
Much consideration has been given to the Trump Administration’s new cyber strategies and their basis in domestic law. As regards international law, Prof. Mike Schmitt’s recent excellent analysis outlines the legal implications of U.S. cyber operations directed against adversary incursions into critical infrastructure. However, the international legal basis for employing offensive cyber operations in response to economic cyber intrusions has not yet been examined. I will do so in two parts: Part I will consider which international legal obligations the U.S. could claim have been violated by economic cyber intrusions, if any. Part II will examine the legal rationales under which U.S. offensive cyber operations could be justified.
State Responsibility and Economic Cyber Intrusions
Offensive cyber operations in response to economic cyber intrusions may violate international legal obligations owed by the United States to the State at which the operations are targeted – including potential violations of their sovereignty, the principle of non-intervention, or even the prohibition on the threat or use of force (as I will examine in Part II of this series). This would have to be evaluated on a case-by-case basis, depending on the particular facts of the operation at issue. But to the extent an offensive cyber operation does violate international law, the wrongfulness of that operation would be precluded if it were undertaken as a valid countermeasure. A State is entitled to take countermeasures – which are otherwise unlawful actions or omissions – in response to an internationally wrongful act by another State only if certain conditions are met. As Prof. Mike Schmitt recently explained:
The requirements for countermeasures have been set forth by the International Law Commission in its Articles on State Responsibility, which are generally considered to reflect, in great part, customary international law. The key requirement is that the “injured” State’s countermeasure be intended to convince the “responsible” State to desist in its unlawful activities, in this case the emplacement and continued presence of the malware. Countermeasures are also permissible to secure assurances, guarantees or reparations. The option of taking countermeasures to secure guarantees is particularly important, for a guarantee may take the form of neutralization or removal of the malware in question by the responsible State. Additionally, countermeasures may not be anticipatory in character (unlike self-defense), must be proportionate to the unlawful act to which they respond, and must not constitute a use of force.
Thus, the United States is only entitled to respond to economic cyber intrusions with countermeasures if it can establish that the intrusions undertaken against it breach international law. In the context of China’s alleged economic cyber intrusions against the United States, the United States would need to establish that those intrusions breach a particular rule of international law, and the breach is attributable to China. (I will assume for these purposes that attribution for the relevant cyber activity can be made to China, the main adversary State at issue.)
Which rules of international law could economic cyber intrusions breach?
Transboundary cyber operations, especially when conducted by the military, may implicate articles 2(4) and 51 of the United Nations Charter, which prohibit the threat or use of force by States except in unilateral or collective self-defense in the case of an “armed attack.” For a cyber operation to be a use of force, it must be equivalent in scale and effects to a conventional use of force. The effects of a cyber intrusion that exfiltrates commercially sensitive information are completely different in nature than an operation, for example, to mine a military vessel (Oil Platforms, at 72) or other conventional uses of armed force. Indeed, it is commonly acknowledged that economic cyber hacking and theft fall “below the threshold” for the use of armed force.
Rather than the prohibition on the use of force, the international legal rules most likely to be implicated by economic cyber intrusions are sovereignty and the principle of non-intervention. Briefly, the principle of non-intervention prohibits States from coercively intervening in affairs reserved to another State. Second, States enjoy sovereignty over their own functions and territory, including cyber activities and infrastructure within the State. Sovereignty also provides for a State’s right to determine access to its territory.
The status of sovereignty as a binding rule of international law in the context of cyberspace is debated. There is a view that sovereignty, although an underlying principle of international law in cyberspace, is not a binding rule whose breach engages State responsibility in the cyber context. This view is the official position of the United Kingdom, and has been supported by some experts. But the traditional view is the opposite: that sovereignty is both a principle and a rule in cyberspace, just as it is in non-cyber contexts. This was the view taken by the experts convened to produce the Tallinn Manual 2.0, the Dutch Ministry of Defense, and is arguably the legal view of the United States. The traditional view will therefore be adopted for the purposes of this analysis.
It is worth noting that cyber espionage itself, that is, the collection of information vital to the protection of the State, does not breach international law irrespective of whether it is conducted for economic purposes or for more traditional military/political purposes. International law is generally silent on the permissibility of States collecting intelligence on each other. This is due to widespread acceptance that all States engage in it to some degree. Generally, those matters that international law does not regulate are left to States’ domestic legal orders to regulate (the Lotus case, at 19). This would make economic cyber espionage perpetrated against the United States a matter solely for its domestic law.
Sovereignty and Economic Cyber Intrusions
There is very little scope for the U.S. to maintain that economic cyber intrusions breach its sovereignty. In the non-cyber context, a State’s sovereignty is typically breached when its authority over its territory is compromised, for instance, when an adversary State’s military aircraft enter the territorial State’s airspace without the latter’s consent. In the cyberspace context, particularly when one State remotely accesses cyber infrastructure located in another State, a breach of sovereignty is not as easy to identify.
According to the Tallinn Manual 2.0 (at 20), there is consensus that a cyber operation will breach the target State’s sovereignty in two circumstances. First, if it causes damage to cyber infrastructure in that State or interferes in a relatively permanent way with the functionality of such infrastructure. This is based on the premise that as the target State alone controls access to its sovereign territory, the causation of these effects without its consent would amount to a clear infringement of the target State’s territorial integrity. Second, a cyber operation will also breach the target State’s sovereignty if it amounts to interference with or an usurpation of one of the target State’s inherently governmental functions. As sovereignty guarantees the target State the exclusive right to exercise the functions of a State within its own territory (Island of Las Palmas, at 8), any interference with this right would violate sovereignty.
Whether, and if so when, sovereignty can be violated by remote cyber operations outside of these two circumstances is disputed. Economic cyber intrusions will often fall into this grey area, as sensitive commercial and technical information generally can be accessed and exfiltrated without going so far as to damage or impair cyber functionalities. Indeed, the minority of experts involved in drafting the Tallinn Manual 2.0 who were willing to find a violation of sovereignty beyond the two circumstances described above cited operations that produce effects and have notable consequences, such as the alteration or deletion of data (without causing damage or affecting functionality), the emplacement of malware, or the creation of backdoors (Tallinn Manual 2.0, at 21). The latter operations are distinguishable from most economic cyber intrusions, as the accessing and exfiltration of commercially or technologically sensitive information alone would be unlikely to produce such effects. Additionally, even if economic cyber intrusions do produce effects, they are unlikely to have notable consequences akin to those mentioned above. For instance, the creation of a backdoor to access commercial or technological information is unlikely to be of a scale equivalent to the emplacement of malware capable of significantly impairing or damaging critical infrastructure. The latter, according to Prof. Mike Schmitt, is more likely to constitute a violation of sovereignty.
Economic cyber intrusions are also unlikely to usurp or interfere with inherently governmental functions. An inherently governmental function is not clearly defined, but it may be taken to constitute a function or activity solely undertaken by a State. If non-governmental entities also engage in the function, it is not inherently governmental (Tallinn Manual 2.0, at 22). The function is interfered with, or usurped, if the territorial State is effectively prevented from performing that function. The Tallinn Manual 2.0 (at 22) contrasts the example of a cyber operation designed to empty the bank account of a governmental employee, which would not be interfering with an inherently governmental function (holding a bank account is not inherent to government) with an operation impeding a government from paying its employees, which would be interfering with such a function (as a government’s ability to pay its employees is inherent to that government).
It is difficult to see how economic cyber intrusions would usurp an inherently governmental function. Economic cyber intrusions may be said to be interfering with the storing of commercially and technologically sensitive information, including such information held by the U.S. government. This would not be an inherently governmental function because the private sector (for instance, defense contractors) also engages in the same activity. Furthermore, such activity does not go so far as to prevent the U.S. government from performing such a function entirely, although its international competitiveness may be diminished as a knock-on effect of the successful exfiltration of sensitive defense-related commercial information.
For these reasons, it is difficult to maintain that economic cyber intrusions violate sovereignty.
Non-Intervention and Economic Cyber Intrusions
It is even less likely that economic cyber intrusions would violate the principle of non-intervention. As mentioned above, an unlawful intervention is one in which a State coercively intervenes in affairs reserved to another State. It consists of two elements: coercion, and interference in a State’s domaine reservé, which consists of those matters international law does not regulate, or that are left to States to freely decide based on their sovereign prerogatives. The clearest example of such a matter is “the choice of a political . . . system.” (Nicaragua, at 205) Therefore, the election interference activities against which U.S. offensive cyber operations were initially aimed could have constituted an unlawful intervention provided they were coercive. One State coerces another when its actions force the other State to act in a way that it would not voluntarily, or not to act at all when it wishes to act. (Tallinn Manual 2.0, at 318) In short, for there to be coercion, a State must be deprived of its freedom to act, or not act. Returning to the election interference example, only those kinds of interference that deprived or seriously impaired citizens’ freedom to choose would clearly amount to coercion, and therefore unlawful intervention. An operation to manipulate vote tallies is a good example of this.
Establishing unlawful intervention in the context of economic cyber intrusions is more difficult than in the case of election interference. In particular, it is hard to establish how economic cyber intrusions can constitute coercion. The accessing and exfiltration of commercially or technically sensitive data is unlikely to compel a State to take, or to refrain from taking, a particular action.
Part I has demonstrated that the United States would struggle to make a convincing case that economic cyber intrusions alone violate international law. At most, the United States could claim that its sovereignty has been breached by economic cyber intrusions that entail the emplacement of malware or the creation of backdoors. However, this is not a widely supported argument: indeed, there is no external indication that the United States holds this view. It is also worth noting that this argument is predicated on the notion that sovereignty is a binding rule of international law in cyberspace. If the targets of economic cyber intrusions, like the United States, were to adopt the U.K. view to the contrary, it would be impossible for them to claim that such cyber activity violates their sovereignty. This view may give a State like the U.S. the freedom to conduct ‘below the threshold’ cyber operations without fear of violating international law, but it would also remove all international legal constraints on the economic cyber intrusions conducted by an adversary State like China.
The likely inability of the United States to demonstrate that economic cyber intrusions violate international law calls into question the legality of the offensive cyber operations the U.S. seeks to deploy in response, to the extent those operations would themselves violate international legal obligations owed by the United States to the target State. Accordingly, Part II will examine the legality of these responses.