On March 2, Department of Defense (DoD) General Counsel Paul Ney delivered a keynote address at the 2020 U.S. Cyber Command Annual Conference that set forth the Defense Department’s views on various issues of domestic and international law regarding cyberspace. It is the most significant public statement on the subject by a Trump administration official to date. Ney’s statement is of heightened importance because it speaks to key aspects of international law that govern the U.S. strategy of “Persistent Engagement” in cyberspace that was adopted in 2018.
To set the stage, this article begins by highlighting key elements of that strategy. I then turn to international law, focusing on the rules singled out in the General Counsel’s address (see also Professor Bobby Chesney’s analysis). Most of the DoD positions, albeit cautiously crafted, strengthen the nascent international consensus around certain key topics, thereby helping to reduce the normative ambiguity that some countries are exploiting in ways that threaten security and stability in cyberspace. One position outlined by Ney however — the U.S. position on sovereignty — notably departs from the emerging consensus position, although it is sufficiently nuanced to leave the door open to further international dialogue. To illustrate agreement, and occasional disagreement, among key partners, I will juxtapose the U.S. positions against those the United Kingdom, Australia, Netherlands, and France have publicly taken in the last two years.
The current U.S. strategy effectively replaced that set forth in a series of documents, most prominently the Obama Administration’s 2011 International Strategy for Cyberspace, 2012 Presidential Policy Directive 20, and 2015 DoD Cyber Strategy. Previously, the U.S. strategy was predominantly defensive in nature. For instance, the 2015 DoD Cyber Strategy provided that the Department “may conduct cyber operations to counter an imminent or on-going attack against the U.S. homeland or U.S. interests in cyberspace,” and that it would “seek to exhaust all network defense and law enforcement options to mitigate any potential cyber risk to the U.S. homeland or U.S. interests before conducting a cyberspace operation.” Authorization for such operations required approval of the President or, in some cases, Secretary of Defense.
However, events soon challenged this defensive posture. 2016 saw Russian interference in U.S. elections (see the 2017 Intelligence Community Assessment and 2019 Senate Intelligence Committee Report volume 1 and volume 2). 2017 witnessed North Korea carry out the WannaCry ransomware attack that, inter alia, disrupted health care in the U.K. and the Russian NotPetya attack against Ukraine that bled into systems globally at a cost measured in the billions of dollars. These and other serious cyber incidents led to calls within parts of the executive branch for greater authorities to conduct extraterritorial cyber operations, a streamlining of the approval process, and a lowering of approval levels.
The White House’s 2018 National Cyber Strategy (NCS) was in part a response to the incidents of the preceding two years. The NCS warns that the “United States will develop swift and transparent consequences, which we will impose consistent with our obligations and commitments to deter future bad behavior.” In doing so, the United States will “work with like-minded states to coordinate and support each other’s responses to significant malicious cyber incidents, including through intelligence sharing, buttressing of attribution claims, public statements, support for responsive actions taken, and joint imposition of consequences against malign actors.” Such a strategy, particularly the “imposition of consequences” aspect, inevitably begs the question of how international norms both limit and empower the resultant cyber operations.
In this regard, the NSC professes fidelity to a rules-based international order in cyberspace, stating that:
The United States will promote a framework of responsible state behavior in cyberspace built upon international law, adherence to voluntary non-binding norms of responsible state behavior that apply during peacetime, and the consideration of practical confidence building measures to reduce the risk of conflict stemming from malicious cyber activity. These principles should form a basis for cooperative responses to counter irresponsible state actions inconsistent with this framework.
Importantly, the document also emphasizes the contribution international law and non-binding norms makes to global stability and security:
International law and voluntary non-binding norms of responsible state behavior in cyberspace provide stabilizing, security-enhancing standards that define acceptable behavior to all states and promote greater predictability and stability in cyberspace. The United States will encourage other nations to publicly affirm these principles and views through enhanced outreach and engagement in multilateral fora. Increased public affirmation by the United States and other governments will lead to accepted expectations of state behavior and thus contribute to greater predictability and stability in cyberspace.
The DoD also issued its own Cyber Strategy in 2018. Although the full document remains classified, an unclassified summary released by the DoD signals the extent to which its current strategy moves beyond the 2015 DoD Cyber Strategy in terms of willingness to engage adversaries aggressively in cyberspace. Warning that the “United States’ strategic competitors are conducting cyber-enabled campaigns to erode U.S. military advantages, threaten our infrastructure, and reduce our economic prosperity,” it forewarns adversaries that the DoD:
must take action in cyberspace during day-to-day competition to preserve U.S. military advantages and to defend U.S. interests. Our focus will be on the States that can pose strategic threats to U.S. prosperity and security, particularly China and Russia. We will conduct cyberspace operations to collect intelligence and prepare military cyber capabilities to be used in the event of crisis or conflict. We will defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict. We will strengthen the security and resilience of networks and systems that contribute to current and future U.S. military advantages. We will collaborate with our interagency, industry, and international partners to advance our mutual interests.
The 2018 DoD strategy has been labeled “Persistent Engagement” to reflect the tactic of remaining “in contact” with adversaries, thereby denying them the advantages of initiative and control of play. “Defending Forward,” which denotes a willingness to engage in extraterritorial cyber operations, is the method by which the engagement will be accomplished. The success of the strategy depends on an ability to act more quickly than previously had been the case, which was made possible (see here) with the issuance of both the National Security Presidential Memorandum 13 and the John S. McCain National Defense Authorization Act in 2018.
Persistent Engagement’s operational design was further fleshed out in Achieve and Maintain Cyberspace Superiority, the 2018 Cyber Command Vision Statement. It provides:
The United States must increase resiliency, defend forward as close as possible to the origin of adversary activity, and persistently contest malicious cyberspace actors to generate continuous tactical, operational, and strategic advantage. We achieve success by seizing the initiative, retaining momentum, and disrupting our adversaries’ freedom of action.
To “Defend Forward” in this way necessitates non-consensual operations into the territory of other States. Such cyber operations could include, for example, monitoring the operation of cyber infrastructure, gathering intelligence by such means as exfiltration, pre-positioning capabilities, and conducting operations that might cause effects in those countries.
Offensive operations like those contemplated by Persistent Engagement and Defending Forward are the cause of concern for many States. The Cyber Command Vision Statement acknowledges this reality when it notes that, “[w]e recognize that adversaries already condemn U.S. efforts to defend our interests and allies as aggressive, and we expect they will similarly seek to portray our strategy as ‘militarizing’ the cyberspace domain.” The statement goes on to state, however, that “[t]he Command makes no apologies for defending U.S. interests … in a domain already militarized by our adversaries.”
Situating the DoD’s Legal Positions
As with other national strategy documents (see, e.g., the White House’s 2017 National Security Strategy), the NCS, DoD Cyber Strategy, and Cyber Command Vision Statement do not discuss specific facets of international law. Nevertheless, the NSC commits the United States to affirming its positions on the norms governing cyberspace. Such norms include both binding international legal rules and voluntary non-binding norms such as those agreed to in the 2015 U.N. Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security report and others being worked on by the 2019-2021 U.N. Group of Governmental Experts and 2019-2020 U.N. Open-Ended Working Group.
General Counsel Ney’s recent keynote address commendably references relevant areas of international law, building on previous U.S. pronouncements, including the 1999 DOD General Counsel Assessment, speeches by State Department Legal Advisors Harold Koh and Brian Egan in 2012 and 2016 respectively, and the 2014 U.S. submission to the GGE. The material difference is that the positions set forth by Ney, unlike previous statements, support a cyber strategy that openly embraces the prospect of extraterritorial cyber operations. It is telling that Ney’s remarks broadly align with those outlined by previous administrations, with two nuanced exceptions (notice of intent to take countermeasures and sovereignty).
Ney begins by asserting that non-governmental efforts to identify the international law applicable in cyberspace, such as the Tallinn Manual 2.0 project, are “useful to consider, but they do not create new international law, which only states can make.” As director of that project, I could not agree more. I would add that only States may authoritatively interpret existing international law, a point that is essential to grasp in the cyber context, for most of the normative activity in the field involves the interpretation of extant rules, rather than the development of new ones.
In this regard, Ney emphasizes that government lawyers must be able to provide their clients advice in real time when their State is acting in support of its national interests in cyberspace. This requires understanding “how existing rules apply to activities in other domains, while considering the unique, and frequently changing, aspects of cyberspace.” In other words, the interpretation of international law is necessarily contextual, a point that must be borne in mind when considering international law in the cyber context.
The Use of Force
The first specific rule Ney tackles is the prohibition on the use of force found in Article 2(4) of the U.N. Charter. He notes that “[i]n assessing whether a particular cyber operation—conducted by or against the United States—constitutes a use of force, DoD lawyers consider whether the operation causes physical injury or damage that would be considered a use of force if caused solely by traditional means like a missile or a mine.” This approach, one shared by the United Kingdom and Australia, is cautious in that it avoids taking a stance on whether hostile cyber operations that are not physically destructive or injurious may ever constitute a use of force for the purposes of Article 2(4). Ney also notes that acting in self-defense when necessary, proportionate, and in response to an actual or imminent “armed attack” is an exception to the general prohibition, but does not develop the notion of self-defense further (perhaps because the U.S. position, in contrast to most other States, has long been that the use of force and armed attack thresholds are identical).
In 2019, the Netherlands addressed this question head on, stating that “at this time it cannot be ruled out that a cyber operation with a very serious financial or economic impact may qualify as the use of force.” It explained:
It is necessary, when assessing the scale and effects of a cyber operation, to examine both qualitative and quantitative factors. The Tallinn Manual 2.0 refers to a number of factors that could play a role in this regard, including how serious and far-reaching the cyber operation’s consequences are, whether the operation is military in nature and whether it is carried out by a state. These are not binding legal criteria. They are factors that could provide an indication that a cyber operation may be deemed a use of force, and the government endorses this approach.
The same year, employing reasoning analogous to that of the Netherlands, France adopted the position that a use of force need not be destructive or injurious:
France does not rule out the possibility that a cyberoperation without physical effects may also be characterised as a use of force. In the absence of physical damage, a cyberoperation may be deemed a use of force against the yardstick of several criteria, including the circumstances prevailing at the time of the operation, such as the origin of the operation and the nature of the instigator (military or not), the extent of intrusion, the actual or intended effects of the operation or the nature of the intended target. This is of course not an exhaustive list. For example, penetrating military systems in order to compromise French defence capabilities, or financing or even training individuals to carry out cyberattacks against France, could also be deemed uses of force.
In my estimation, it is very unlikely that a State facing calamitous cyber operations, such as a devastating attack on its economy or disruption of its national defense capabilities, would hesitate to treat such operations as a use of force because they were neither physically destructive nor injurious. On the contrary, even States that reject the U.S. view that there is no sunlight between the use of force and armed attack thresholds would characterize such operations as armed attacks entitling them to resort to kinetic or cyber force in self-defense. This being so, Ney’s cautionary note that “it is important to keep in mind that the State or States targeted by the operation may disagree, or at least have a different perception of what the operation entailed,” is well placed.
Cyber operations not rising to the level of a use of force may nevertheless violate the prohibition on coercive intervention in the internal or external affairs of other States (the so-called domaine réservé, that is, the area of activity left to States by international law). Ney drew on the International Court of Justice’s discussion of intervention in its Nicaragua judgment in pointing to a State’s “choice of political, economic, or cultural system” as illustrating the domaine réservé. Confirming consistency in the U.S. view of intervention, Ney uses examples pulled verbatim from the 2016 Egan speech, stating that “‘a cyber operation by a State that interferes with another country’s ability to hold an election’ or that tampers with ‘another country’s election results would be a clear violation of the rule of non-intervention.’” He also observes that “[o]ther States have indicated that they would view operations that disrupt the fundamental operation of a legislative body or that would destabilize their financial system as prohibited interventions.”
The State making the latter assertion is the United Kingdom. Accurately, Ney underlines the lack of “international consensus among States on the precise scope or reach of the non-intervention principle, even outside the context of cyber operations.” He accordingly cautions, “because States take different views on this question, DoD lawyers examining any proposed cyber operations must tread carefully, even if only a few States have taken the position publicly that the proposed activities would amount to a prohibited intervention.” Again, the DoD is to be commended for acknowledging that irrespective of the legal position taken by the United States, it is always prudent to assess how U.S. operations are likely to be characterized by the State into which they are conducted, as well as the rest of the international community. Doing so is an essential step in any legal risk assessment, and an important responsibility for government lawyers serving their policy clients.
The financial disruption example presented by the United Kingdom serves as a useful illustration of how such differences of view could matter. The U.K. opined that “[s]uch acts must surely be a breach of the prohibition on intervention in the domestic affairs of states.” Usually, that will be the case. However, although a State’s financial affairs typically fall within its domaine réservé, many would caution that the operation must be coercive to qualify as intervention. As noted by the Netherlands:
The precise definition of coercion, and thus of unauthorised intervention, has not yet fully crystallised in international law. In essence it means compelling a state to take a course of action (whether an act or an omission) that it would not otherwise voluntarily pursue. The goal of the intervention must be to effect change in the behaviour of the target state.
It could be that the State conducting the hostile cyber operations seeks no change in the target State’s behavior but is simply acting maliciously. If so, the operation would arguably not be unlawful as a breach of the non-intervention obligation (but, as a legal matter, might separately violate the target State’s sovereignty).
Australia, by contrast, takes a slightly broader view. In the 2019 international law supplement to its International Engagement Strategy, Australia defines “prohibited intervention [as] one that interferes by coercive means (in the sense that they effectively deprive another state of the ability to control, decide upon or govern matters of an inherently sovereign nature), either directly or indirectly, in matters that a state is permitted by the principle of state sovereignty to decide freely.” In other words, there need be no intent to change the target State’s behavior if the hostile cyber operation blocks the State’s control over activities within its domaine réservé. Applying this standard, the financial operations cited by the United Kingdom would probably qualify as prohibited intervention.
This analysis on my part is not proffered to support either position — both are reasonable interpretations of the rule. But it does illustrate the wisdom of the DoD’s cautious approach to intervention and of its sensitivity to the perceptions of other States. It also highlights a key legal issue that like-minded States would be well advised to consider in an effort to craft a common position, or at least a common understanding of where different States draw the line.
In terms of responses to hostile cyber operations, Ney highlights the countermeasures option. Countermeasures in general are operations that would violate international law but for the fact that they are proportionate self-help measures designed to terminate actions by another State that violate international law, or to secure reparations (restitution, compensation, or satisfaction) for the latter’s unlawful actions. A cyber operation that qualifies as a countermeasure is a “ground for the preclusion of wrongfulness” of that operation. A paradigmatic example would be a victim State’s use of cyber means to shut down cyber infrastructure abroad that is being used by an attacking State to conduct cyber operations violating the victim state’s sovereignty.
The DoD position set forth by Ney is significant in multiple regards. First, he excludes the possibility that countermeasures may be forceful in nature. A persistent debate among international law scholars is whether a countermeasure in response to an unlawful cyber operation involving the use of force may itself rise to the level of a use of force (albeit remaining below the armed attack level of self-defense, see the Separate Opinion of Judge Simma in the ICJ’s Oil Platforms case). This debate prevented the Tallinn Manual 2.0 experts from achieving consensus on the admissibility of forceful countermeasures. However, the DoD position, correctly in my view, strengthens the argument against forceful countermeasures. In taking this stance, the United States joins the U.K., Australia, Netherlands, and France. (That said, because the United States considers that there is no difference between a use of force and armed attack, the DoD presumably could not subscribe to any view that forceful countermeasures below the level of an armed attack even exist as a conceptual matter, let alone that only those lower-level uses of force are permissible.)
Interestingly, the DoD does not appear to be taking a position on the International Law Commission’s claim in its Articles on State Responsibility that countermeasures must be preceded by notice to the “responsible” State (the State against which the countermeasure is directed). In 2016, Brian Egan had noted that the law of State responsibility “generally requires the injured State to call upon the responsible State to comply with its international obligations before a countermeasure may be taken.” Obviously, the term “generally” appears to admit of exceptions, but Ney’s treatment is even less supportive, and appropriately so, of the purported requirement. Without setting forth the DoD view, he simply observes that there are “varying State views on whether notice would be necessary in all cases in the cyber context because of secrecy or urgency.” The U.K., France, and the Netherlands sensibly and defensibly have rejected an absolute requirement of notice before countermeasures, as did the Tallinn Manual 2.0 experts. Their rejection is an instructive example of accepting the existence of a rule of international law, but interpreting it in light of the unique circumstances in which it is to be applied, in this case the reality that an absolute notice requirement could effectively preclude the “injured State” from taking crucial countermeasures in response to severe hostile cyber operations.
Perhaps most significantly, Ney stresses that an unlawful cyber operation (an “internationally wrongful act” in international law parlance) is a condition precedent to the taking of countermeasures, stating that:
In a particular case it may be unclear whether a particular malicious cyber activity violates international law. And, in other circumstances, it may not be apparent that the act is internationally wrongful and attributable to a State within the timeframe in which the DoD must respond to mitigate the threat. In these circumstances, which we believe are common, countermeasures would not be available.
The DoD’s commitment to this well-established requirement is commendable. However, still open is the question of what to do when the identity of the originator of a hostile cyber operation is somewhat uncertain. In other words, how certain must a State be that an unlawful cyber operation is attributable to another State pursuant to the law of the State responsibility before launching a countermeasure? There are two views, both discussed in Tallinn Manual 2.0. According to the first view, a State takes countermeasures at its own risk. Hence, if a State misattributes a hostile cyber operation to another State against which it conducts a countermeasure, it will have committed an internationally wrongful act because there is no ground for precluding the wrongfulness of its response. The competing second view is that international law requires States to be reasonable, but not right. So long as the response was taken based upon a reasonable attribution made in good faith, it is lawful. It may sound like the second view provides States adopting countermeasures more latitude. However, the first view may mean there is no standard of proof that State must meet before engaging in such acts, although it will be responsible for the consequences of that action.
A further issue raised by Ney’s statement derives from the position taken by the DoD on the existence and scope of an international law obligation to respect the sovereignty of other States.
In 2018, the United Kingdom’s then Attorney General, while laudably setting forth his government’s very sound positions on numerous other points of international law, announced:
Sovereignty is of course fundamental to the international rules-based system. But I am not persuaded that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention. The UK Government’s position is therefore that there is no such rule as a matter of current international law.
In most cases, this would mean that a hostile cyber operation would have to either violate the prohibition on intervention, which requires intrusion into the domaine réservé and coercion, or cross the high threshold for a use of force before being unlawful. The U.K. position evoked concern around the world and led NATO allies France and the Netherlands to take a firm position to the contrary, one well-founded in law, in order to preserve the rule’s protective value (on the issue, see here, here, here, here, and here, but see here, here, and here). For France, the Netherlands, and many other States, as well as most scholars (including those who authored Tallinn Manual 2.0), the issue is not the existence of a rule of sovereignty, but the challenge of identifying its parameters in light of the unique characteristics of cyber operations.
Although acknowledging the difference of opinion, Ney states that “[t]he DoD [Office of General Counsel] view, which we have applied in legal reviews of military cyber operations to date, shares similarities with the view expressed by the U.K. Government in 2018.” He further suggests, as had the U.K. Attorney General, that “many States’ public silence in the face of countless publicly known cyber intrusions into foreign networks precludes a conclusion that States have coalesced around a common view that there is an international prohibition against all such operations (regardless of whatever penalties may be imposed under domestic law).”
The flaw in this justification is that it treats as evidence of the rule’s nonexistence the lack of condemnation of cyber operations as sovereignty violations. However, unless they reject the existence of such a rule in the non-cyber context (a highly problematic proposition in light of the overwhelming evidence to the contrary), proponents of the position bear the burden of justifying the non-applicability of the existing sovereignty rule to cyber operations, as has been done in the case of the countermeasures notice requirement discussed above. No principled defense of the approach has been offered to date, and there is scant opinio juris to conclude States have remained silent based upon a legal belief that general rules of sovereignty do not extend to cyber operations.
Moreover, if international law requires affirmative evidence of the applicability of existing law to cyber operations, then the United Kingdom’s praiseworthy embrace of many provisions of international law in the cyber context, including the prohibitions on intervention and the use of force, would be rendered suspect, for there have been almost no condemnations of cyber operations on those bases either. In any event, the affirmation of a sovereignty rule by States with well-developed normative positions like France and the Netherlands (as well as others that have taken that position behind the curtain) undercuts the stated justification for denying the rule’s existence.
Read carefully, Ney’s discussion of sovereignty is more nuanced than the United Kingdom’s. Consider the significance of his discussion of espionage in that context.
Traditional espionage may also be a useful analogue to consider. Many of the techniques and even the objectives of intelligence and counterintelligence operations are similar to those used in cyber operations. Of course, most countries, including the United States, have domestic laws against espionage, but international law, in our view, does not prohibit espionage per se even when it involves some degree of physical or virtual intrusion into foreign territory. There is no anti-espionage treaty, and there are many concrete examples of States practicing it, indicating the absence of a customary international law norm against it. In examining a proposed military cyber operation, we may therefore consider the extent to which the operation resembles or amounts to the type of intelligence or counterintelligence activity for which there is no per se international legal prohibition.
The final sentence is of particular significance. It essentially says that government lawyers must decide whether a cyber operation looks like espionage (or more technically, “the type of intelligence or counterintelligence activity for which there is no per se international legal prohibition”). If the operation does, then it is not a violation of sovereignty. But if the operation does not resemble that type of activity, it could well violate sovereignty. If this was not the case, why would the lawyers engage in an inquiry along these lines at all?
It is also essential to note that no State supporting the existence of a rule of sovereignty applicable to cyber operations has suggested that “all such operations” into another State’s territory are prohibited. On the contrary, some of them engage in extraterritorial cyber operations themselves that they doubtless believe to be lawful. Rather, for these States the question is not whether sovereignty can be violated but instead when a remotely contacted cyber operation violates sovereignty. For instance, most would agree with Ney’s assertion that remotely conducted espionage usually does not violate the target State’s sovereignty. Indeed, the only State that has opined on the threshold for a violation of sovereignty below the level of physical damage or injury is France, which is of the view that the causation of “effects” on French territory amounts to a violation of its sovereignty. But even the French would reject the premise that any remotely conducted cyber operation into its territory violates French sovereignty.
Thus, Ney’s reference to “all such operations” usefully leaves the door cracked for continuing international discussion, especially among like-minded States, designed to identify those cyber operations that violate sovereignty. His conclusion as to the sovereignty matter is reason for optimism in this regard:
As a threshold matter, in analyzing proposed cyber operations, DoD lawyers take into account the principle of State sovereignty. States have sovereignty over the information and communications technology infrastructure within their territory. The implications of sovereignty for cyberspace are complex, and we continue to study this issue and how State practice evolves in this area, even if it does not appear that there exists a rule that all infringements on sovereignty in cyberspace necessarily involve violations of international law.
Indeed, Ney is on solid ground in saying no rule exists that “all infringements on sovereignty in cyberspace” violate international law. And there’s no reason to read the DoD statement as contradicting Egan’s 2016 speech, in which he described the United States’ view: “In certain circumstances, one State’s non-consensual cyber operation in another State’s territory could violate international law, even if it falls below the threshold of a use of force. … Precisely when a non-consensual cyber operation violates the sovereignty of another State is a question lawyers within the U.S. government continue to study carefully, and it is one that ultimately will be resolved through the practice and opinio juris of States.”
The Law of Armed Conflict
Lastly, Ney confirms the applicability of the law of armed conflict to cyber operations. This is irrefutably the correct view and one that most States and relevant international organizations openly support. In particular, NATO took this position in its 2014 Wales Summit Declaration and 2016 Warsaw Summit Declaration and Cyber Defence Pledge documents. Ney also confirms that it is U.S. policy to apply law of armed conflict principles to military cyber operations occurring outside the context of armed conflict (which is a long-standing position). This admirable policy is one that other States would be well-served to adopt.
General Counsel Ney’s address does not, and is not meant to, serve as a comprehensive catalog of DoD positions on how international law applies in cyberspace. It remains to be seen, for instance, how the Department will deal with issues such as the possible existence of a rule of due diligence vis-à-vis cyber operations from or through a State’s territory or the numerous law of armed conflict issues surrounding the concept of cyber “attack.” Nevertheless, the address does offer critical insight into the legal rules the DoD believes govern execution of the U.S. Persistent Engagement strategy. And in a broader sense, the DoD’s Office of the General Counsel is to be applauded for contributing meaningfully, and in a measured fashion, to the ongoing international dialogue animating the normative architecture of cyberspace.