Part I demonstrated that the United States is likely to struggle to make a convincing argument that economic cyber intrusions carried out against it breach international law. Consequently, in most cases the United States would not be able to resort to countermeasures in response. It must therefore show that its offensive cyber operations do not themselves breach international law.
Accordingly, this Part will consider whether U.S. offensive cyber operations, as described in press reporting, are likely to breach international law by violating sovereignty and/or the principle of non-intervention. It will also consider whether, and in what circumstances, these operations could nevertheless be justified as countermeasures.
As defined in Part I, U.S. offensive cyber operations are operations “intended to project power by the application of force in or through cyberspace.” It is not known exactly what shape these operations will take when deployed in response to economic cyber intrusions. Despite the use of the term “application of force,” I will assume the United States is not contemplating cyber operations that would rise to the level of a use of force under international law (see Part I for an explanation of the prohibition on the use of force and when it is transgressed by cyber operations). Instead, it seems more likely that operations of a similar nature to those that jammed the servers of a Russian troll farm seeking to interfere in the 2018 midterm elections (i.e. Operation Synthetic Theology), and that implanted “potentially crippling malware” in the Russian power grid may be deployed in response to economic cyber intrusions by an adversary State like China.
Would U.S. Offensive Cyber Operations against Economic Cyber Intrusions Violate Sovereignty?
There is generally agreement, as Part I indicates, that operations that damage cyber infrastructure, cause it to lose functionality, or that interfere with inherently governmental functions will violate sovereignty. There is no agreement, however, on the international legal treatment of a cyber operation which falls short of any one of these three effects.
U.S. offensive cyber operations as described above, like the economic cyber intrusions they are being deployed against, may often fall into this sovereignty-in-cyberspace grey area. However, a credible case can be made that they, by contrast to economic cyber intrusions, are more likely to breach sovereignty.
The most likely ground under which U.S. offensive cyber operations would breach sovereignty would be the “loss of functionality” ground. As is the case with much of international law in the cyberspace context, it is unclear exactly what loss of functionality encompasses. The experts consulted in the Tallinn Manual 2.0 agreed that a cyber operation necessitating the repair or replacement of physical cyber infrastructure (like hard drives or servers) violates sovereignty, for these effects are similar to physical damage. Beyond this, uncertainty reigns, as there is insufficient State practice or opinio juris to identify where customary international law draws the line (notably, most States have not publicly articulated a view on this issue).
Let’s consider a cyber operation that cuts off the internet access of an adversary State (e.g. China) seeking to exfiltrate technical data from an American company by jamming the servers of the actors planning the intrusion. Whether this operation would breach the adversary’s sovereignty may depend on how transient its effects are. If the operation and its effects are merely temporary, it is less likely that it will reach the level of loss of functionality required to violate the adversary State’s sovereignty. Therefore, the operation would not amount to a sovereignty violation if it temporarily disabled the adversary entity’s servers such that it could not carry out its operation as planned. However, if the operation renders those servers inoperable over a long period of time, or to such an extent that they have to be replaced, this will likely reach the level of loss of functionality that amounts to a breach of the adversary State’s sovereignty.
What about an operation to plant dormant malware that could be remotely activated in some part of the cyber infrastructure (for example, the power grid) of an adversary State in order to deter it from undertaking further economic cyber intrusions against the United States?
At first glance, this would fall into the grey area mentioned above. One could argue that if the malware was merely planted and did not cause damage to physical infrastructure, nor injury to persons, nor a loss of functionality or usurpation of an inherently governmental function, the operation would not amount to a breach of sovereignty.
However, Prof. Mike Schmitt has argued that the emplacement of dormant malware that once triggered is “capable of having destructive or significantly disruptive effects on critical infrastructure” would violate the target State’s sovereignty. This is because the malware would be placed in cyber infrastructure located on the target State’s territory “contrary to its interests and without its consent.” For this reason, an offensive U.S. cyber operation that emplaces malware capable of producing these types of effects could violate sovereignty. However, it is difficult to identify a definitive rule on this issue until many more States outline their views on how sovereignty applies in cyberspace.
In short, U.S. cyber operations whose effects on adversary networks are merely transitory and do not cause damage to cyber infrastructure (or produce other tangible effects) arguably would not violate that adversary’s sovereignty. In these limited circumstances, offensive U.S. cyber operations undertaken in response to economic cyber intrusions may be permissible, in that they do not breach international law. Nevertheless, such operations contrast starkly with economic cyber intrusions, which, under normal circumstances, are far less likely than offensive U.S. cyber operations (as they have been described above) to produce effects that amount to a clear violation of sovereignty.
Would U.S. Offensive Cyber Operations against Economic Cyber Intrusions Violate The Principle Of Non-Intervention?
As Part I outlines, for U.S. offensive cyber operations to violate the principle of non-intervention, they would have to amount to coercion regarding the target State’s affairs. It is unlikely that both kinds of cyber operation described above would violate the principle of non-intervention.
For instance, although the operation of critical infrastructure could be said to fall into the target State’s internal affairs, neither kind of operation would amount to coercion: they would not deprive the target State of freedom to act or not act in any particular way. While a particularly severe jamming operation of a government agency, for example, or the activation (rather than the mere implantation) of malware that cripples critical infrastructure could be serious enough to deprive a State of its freedom to act in specific ways, the types of operations we are aware of thus far do not appear to do so.
Therefore, although these particular types of U.S. offensive cyber operations may not violate the principle of non-intervention, they could breach sovereignty. If they do breach sovereignty, and are undertaken in response to operations that did not themselves breach international law, the U.S. will be in violation of international law, which may entitle the adversary State targeted (e.g. China) to employ countermeasures in response.
Could U.S. Offensive Cyber Operations against Economic Cyber Intrusions Be Justified As Countermeasures?
If an offensive U.S. cyber operation does violate international law, it can only be justified if it qualifies as a countermeasure. As defined in Part I, countermeasures are acts that, but for the prior wrongful conduct of the wrongdoing State, would themselves be unlawful. Thus, they can only be employed in response to a prior unlawful act. But, as Part I demonstrated, the United States would struggle to make a convincing case that economic cyber intrusions violate international law. Without a prior unlawful act, the United States cannot claim that its likely transgressive offensive cyber operations in response can be legitimized as countermeasures.
Even if a particularly egregious economic cyber intrusion were to violate international law, U.S. cyber operations in response to them would only be permissible in fairly limited circumstances. This is because they would have to meet certain conditions, as outlined in Part I, in order to be valid countermeasures. Most notably, the measures employed must be intended to induce the wrongdoing State to cease the offending conduct and comply with its legal obligations, and must be proportionate to the injury suffered. Additionally, certain procedural obligations must be met, such as notifying the wrongdoing state before implementing countermeasures.
However, in the cyberspace context, less importance is attached to the procedural conditions for countermeasures. This is because adhering to them could undercut the effectiveness of the envisaged countermeasures. For instance, notifying the wrongdoing State could reveal cyber capabilities to that State and could potentially enable them to defeat the countermeasure. For this reason, the U.K. has rejected the notion that this condition applies to cyber countermeasures. However, as Prof. Mike Schmitt points out, the wrongdoing State has to know about the countermeasures for them to have any effect in inducing it to cease the offending conduct. This could be the purpose of Bolton’s broad statements on the expanding remit of offensive U.S. cyber operations.
Beyond the procedural requirements, offensive U.S. cyber operations may be unlikely to stop the offending conduct, but they may at least inhibit it. Operation Synthetic Theology is reported to have impeded Russian attempts to interfere in the 2018 midterms, for instance. In circumstances where the adversary State has shown itself unwilling to desist from the offending conduct, as China ostensibly has in reneging on ‘agreements’ to curtail cybertheft, for example, action inhibiting such conduct as opposed to stopping it entirely ought to be an acceptable countermeasure.
Any countermeasures taken must also be proportionate. If the action taken is not proportionate, it would amount to an impermissible retaliation. A proportionality analysis in the context of countermeasures requires a comparison between the injury sustained and the effects of the countermeasure. Although not a general rule, a countermeasure that is of the same nature as, or is similar in nature to, the unlawful conduct against which it is directed is likely to be proportionate. As economic cyber intrusions appear to be of lesser gravity, the proportionality analysis would require any U.S. response to be of similar gravity. Thus, in the context of economic cyber intrusions, of the two kinds of operation considered above, jamming the servers and blocking off internet access to those entities conducting the intrusions is more likely to be proportionate than implanting remotely activated malware capable of crippling an adversary State’s power grid. This further narrows the types of offensive cyber operations that would be permissible responses to economic cyber intrusions.
This two-part series has attempted to clarify the international legal basis for U.S. offensive cyber operations in response to economic cyber intrusions. Little is known about U.S. cyber operations to counter and deter economic cyber intrusions beyond the fact that they may now be taking place. Nevertheless, on the basis of publicly available information, Part I concluded that the United States may struggle to make a convincing case that economic cyber intrusions carried out against it violate international law. Part II demonstrated that U.S. offensive cyber operations in this context may only avoid breaching international law if their effects are similar in kind to the economic cyber intrusions themselves or are transitory in nature. Moreover, only in fairly limited circumstances could U.S. offensive cyber operations against economic cyber intrusions be permissible as countermeasures. It is worth noting, however, that different conclusions may be reached in the future as States continue to conduct cyber campaigns against each other and express their views on how international law applies in cyberspace.
IMAGE: The seals of the U.S. Cyber Command, the National Secrity Agency and the Central Security Service greet employees and visitors at the campus the three organizations share in Fort Meade, Maryland. (Photo by Chip Somodevilla/Getty Images)