SolarWinds as a Constitutive Moment: A New Agenda for the International Law of Intelligence

Public attention to national security policy is often driven by catastrophic moments of insecurity when vulnerabilities are exploited and threats materialize. These extraordinary moments can become a powerful trigger for action. As Thomas Birkland writes in Lessons of Disaster, such focusing events are “sudden, relatively rare, can be reasonably defined as harmful or revealing of the possibility of greater potential harms… and that is known to policymakers and the public virtually instantaneously.” The SolarWinds mass data breach, a hack that is “literally keeping security experts awake at night,” might be that kind of trigger.

President of Microsoft Brad Smith has opined that the wide-ranging hack of SolarWinds’ Orion IT software calls for a “moment of reckoning.”  “This is not ‘espionage as usual,’” he said. “This is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.” Former  Director of the Cybersecurity and Infrastructure Security Agency Chris Krebs stated that the “indiscriminate nature” of targeting the supply chain in way that potentially compromised thousands of companies was “outside of the bounds of at least what we have seen recently of espionage activities.” Former NSA Deputy Director Chris Inglis said SolarWinds hack “focused sufficiently sharply that it hovers in the mind’s eye for quite some time,” and he called for espionage-specific rules of international law, saying the hack violated principles of proportionality and necessity.

As Birkland has shown, however, not all focusing events result in actual policy changes. For these events to be truly transformative we need a constitutive moment, as Paul Starr called it in “Creation of the Media.” These are moments where “ideas and culture come into play, as do constellations of power, preexisting institutional legacies, and models from other countries.” Specifically in the context of communications policy, Starr breaks constitutive decision-making into three composite parts: first are “the general legal and normative rules,” second are the “specific design of communications media, structure of networks, and organization of industries,” and third are the “institutions related to the creation of intangible and human capital that is education research and innovation.”

In a recent Just Security essay analyzing this hack, Kristen Eichensehr warns against what she calls a policy of “strategic silence.” Eichensehr cautions against “following a playbook the executive branch has [frequently] used in the immediate aftermath of past cyber intrusions by foreign governments, at least when those breaches involve traditional espionage.” At the heart of that strategic silence is the idea that espionage is not subject to meaningful regulation under international law and that any State may justify its behavior through the argumentum ad hominem of “tu quoque” (a concept that DoD General Counsel’s Office once elevated to the level of an “international law doctrine,” further defining it as the idea that a “nation has no standing to complain about a practice in which it itself engages”). Others like Jack Goldsmith have written that the United States is in no position to complain about SolarWinds hack with US agencies being responsible for similar malicious operations against other countries.

But building off of Eichensehr’s point, I believe we should throw the regular playbook out the window. We no longer have the privilege of ignoring the growing impact of intelligence in international affairs, politics, and law and therefore must set a bold agenda for the study of the second oldest profession. And like Goldsmith, I believe there is an opportunity for nations to forge agreements “to curb certain activities in foreign networks in exchange for forbearance by our adversaries in our networks” and to thus define what those boundaries include.

SolarWinds is an important moment as it offers a live example of the paramount risks associated with a completely unchecked and unregulated international intelligence environment. But it will only prove to be a moment of true and more fundamental reckoning if many of us play our part in capitalizing on this focusing event by forcing legal, technological, and institutional change. What is required is a courageous agenda that is willing to shatter underlying assumptions and historical biases about the possibility to reimagine the law and practice of international espionage.

I. Intelligence Bombshells and Moments of Constitutive Elucidation

Throughout modern history political bombshells in the practice of intelligence have often gone hand-in-hand with efforts to spur international regulation in response. The U2 Spy Plane incident and the U.S. Missile Defense Alarm System (MIDAS) of the 1960s cultivated a discourse about espionage and the law that spanned the American Society of International Law and the United Nations Security Council. It ultimately ended with a treaty-based framework codifying the rights of each of the two Cold War superpowers to use “national technical means of verification” against each other to ensure compliance with their obligations of non-proliferation. French use of torture to gather information about the Algerian National Liberation Front and the later British interrogation techniques against the Irish Republican Army were some of the precursors to the December 1973 convening by Amnesty International of the first International Conference on the Abolition of Torture, which led to the UN Declaration Against Torture in 1975 and the Convention Against Torture of 1985. More recently, the Snowden revelations and the outcry that followed  resulted not only in massive changes to the domestic regulation of US foreign intelligence, but more significantly, they shaped bodies of jurisprudence at the European Court of Human Rights, the Court of Justice of the European Union, and the U.N. Human Rights Committee as well as helped spur the creation of new special procedures in Geneva, like the Special Rapporteur on the Right to Privacy.

Such bombshells and their legal responses might be treated as a constitutive moment. These instances should not be confused with some unattainable process of accelerated custom, à la a “Grotian Moment;” these are far more modest opportunities for collective consensus-building around specific legal rules and institutions. In these moments we might see the emergence of what Yoram Dinstein called a “C2” a “Consortium of the Concerned”—a group of individuals and entities who might work together in “the kind of mission for which no medals are struck, the kind of campaign at the conclusion of which no triumphs are celebrated, yet the mission and the campaign are invaluable for their importance.” This mission would be one of rule-prescribing, through careful painstaking acts of rule-application and rule-agitation.

II. The Case for a New Agenda for the International Law of Intelligence

The SolarWinds event demonstrates three key elements of contemporary cyber espionage that exacerbate great power competition and expedite the need for an agenda-setting rule reformation for the International Law of Intelligence (ILI): (1) the reduction of capacity constraints on perpetrators; (2) the downsides of hyper-interconnectivity in the digital ecosystem; and (3) the stagnation of cyber law regulation.

Throughout its history, espionage could always be cabined as a remote, isolated, and relatively managed phenomenon, simply due to the capacity limitations that governed the adversaries’ ability to wreak substantive havoc. In the pre-cyber age, the nature of the intrusions, their temporal scope, and their level of penetration were more often than not constrained and limited. Sure, on occasion, high value targets were turned into double agents and key strategic phone lines were tapped. Nonetheless, each such operation took decades to plan and execute, were extremely expensive and dangerous, and once a source was lost it was often lost for good. We now live in an age where technological advancements and our societal reliance on them have removed those inhibitions. Adversaries are now able to engage in widespread, systematic, and repeated operations of a scope and magnitude like never before. Combined with a privatized market for espionage where surveillance tools and techniques are no longer under the monopoly of States, new and dangerous opportunities loom for catastrophic collateral damages.

Moreover, as our political, economic, social, and cultural lives have gone digital we’ve developed a new ecosystem where we are at all times interconnected and interdependent. SolarWinds offers a prototypical example of the unique risks of such an ecosystem as Brad Smith describes in his statement:

“While governments have spied on each other for centuries, the recent attackers used a technique that has put at risk the technology supply chain for the broader economy. As SolarWinds has reported, the attackers installed their malware into an upgrade of the company’s Orion product that may have been installed by more than 17,000 customers. The nature of the initial phase of the attack and the breadth of supply chain vulnerability … created a supply chain vulnerability of nearly global importance, reaching many major national capitals outside Russia … The installation of this malware created an opportunity for the attackers to follow up and pick and choose from among these customers the organizations they wanted to further attack, which it appears they did in a narrower and more focused fashion … While roughly 80% of these customers are located in the United States, this work so far has also identified victims in seven additional countries. This includes Canada and Mexico in North America; Belgium, Spain and the United Kingdom in Europe; and Israel and the UAE in the Middle East. It’s certain that the number and location of victims will keep growing.”

Even more troubling is the knowledge that cyber espionage is an environment in which many important lines are blurred: between territorial and extraterritorial, domestic and foreign, civilian and governmental, law enforcement and military. Much in the same way that the 2000s were marked by a diffuse forever and everywhere war against terrorism, the 2020s offer a troubling expansion and augmentation of espionage activities in cyberspace.

Finally, the international regulation of cyber operations, especially including cyberespionage, remains in disarray. As Tim Maurer has shown: “norms for cyberspace remain highly contested internationally among governments and fragmented domestically within governments. Despite diplomatic activities at the United Nations over the past two decades, intersubjective agreement on norms governing coercive cyber power is still nascent.” Part of the reason for this  stagnation in regulation is rooted in the fact that traditional espionage law and emergent cyber law, in form and function, overlap in such a way that they are best conceived as two elements of a system. As I have argued elsewhere, “any attempt to modify or extend existing bodies of international law to better regulate low-intensity cyber operations will inevitably result in tidal waves that will engulf espionage operations. Conversely, any attempt at normative compartmentalization or regulatory insulation could be equated to challenging a law of physics.” Adopting this viewpoint, it becomes clearer why we must change the script on the international law of intelligence. Its normative realignment is an obvious prerequisite for the world community to be able to ever move forward in the necessary debates on the application of international law in cyberspace more broadly.

III. Four Key Features of the new International Law of Intelligence Agenda

A new agenda for the ILI requires an iterative multi-stakeholder process. At the outset it entails that intelligence professionals across different ranks and fields become invited participants in international law discussions. Not only that, but a new research agenda for the ILI is, by design, an interdisciplinary study. It brings to the center of legal debates scholars of intelligence studies, of history, and of political philosophy. Imagining what “just intelligence” means as a set of legal and ethical rules binding on States would require collaborative work that does not sweep the practice of espionage under the rug but rather takes it out puts it under the microscope.

Such a massive enterprise is not for the faint hearted, nor is it for a small set of persons to design alone. While I don’t claim to hold all (or any) of the answers, I nonetheless wish to offer four general ideas of the kind around which such an agenda might coalesce:

(1) This agenda must recognize the invaluable function that intelligence plays in international politics. Intelligence is not a “diabolical act” as Kant once called it; nor does it promise “rays of light to the human soul” as Hobbes would have you imagine. It is a human-designed system made to address the frailties of global order where self-help remains a dominant feature. As I have written elsewhere, to acknowledge the stability-enhancing functions of intelligence in public world order must first entail recognizing that sovereign nations enjoy a liberty to spy under customary international law. Such a statement, rarely uttered by internationalists, will be the only way to convince intelligence-gathering States to join this crucial conversation.

(2) Recognizing that Russia enjoys a legally enshrined liberty to spy on the United States (and that the latter enjoys a reciprocal liberty to spy on Russia) must not necessarily end with a legitimization of operations like SolarWinds. We must begin to ask deeper questions about the practice of espionage: when should uses of a sovereign nation’s intelligence arm be authorized (the Jus Ad Explorationem ­– the Law Before Spying) and what are legitimate and illegitimate means and targets for such operations (the Jus In Exploratione – the Law During Spying). This could lead States to come together around certain kinds of restrictions. We might say that intelligence collection conducted in the service of internationally wrongful acts (say genocide or territorial conquest) should be prohibited. We might also ban certain commercially-motivated spying, such as that conducted to advance theft of intellectual property. We may also ban specific techniques. We could say that in the name of catching bin-Laden one sovereign nation should not erode public trust in basic human health responses like the polio vaccine. Under that same logic, we could also argue that in the name of whatever it was that Russia was seeking, one sovereign nation should not erode public trust in critical cyber emergency response tools, like commercial software updates.

(3) In other words, such an agenda takes seriously the idea that there is historical state practice of intelligence operations and that such state practice influences the gradual evolution of a lex specialis subfield of international law. In a series of cases involving foreign surveillance the European Court of Human Rights has laid down general human rights requirements for the operation of intelligence, including principles of legality, necessity, proportionality, adequate safeguards, ex-ante authorization, ex-post oversight and review, transparency, and access to remedies. The United States and many of its allies have already implemented such frameworks to varied degrees of success. Indeed, as noted by Ashley Deeks, “The pressures on Western intelligence communities to interpret international law more strictly and apply it more robustly are only beginning.” Building on this experience there is a real possibility to articulate actual rules for the ILI and build consensus around them. These rules will carry important value regardless of perfect enforcement. A Biden administration interested in “imposing substantial costs” on those who launch SoalrWinds-type espionage operations, will be under greater pressure to walk the walk and not just talk the talk. This entails an administration that is willing to lead toward this evolving framework – both by example and in coordination with its allies and partners. Without such innovative and forward-looking agenda, the United States, which carries the biggest punch, will continue to be viewed as a “global cyber bully” as Goldsmith noted.

(4) To develop a real global agenda and harness support for it beyond our immediate partners, we must adopt a critical lens through which we can consider the regulation of intelligence. There is a reason why espionage remains a taboo word in the United Nations and why so many countries, predominately in the Global South, are so critical of the role of intelligence in society. For intelligence agencies to come to terms with their troubled past (as a tool for subversion, subjugation, and marginalization), we must embrace a multitude of voices. Such diversity of perspective is pivotal for the success of any international agenda in the 21st century, and the ILI is certainly no exception. Welcoming Third World Approaches to International Law (TWAIL), gender, race, and LGBTQ+ critiques of the surveillance state and its capitalist markets will be a challenging step for members of the intelligence community. Just as true, persuading human rights activists and civil society organizations to work with the intelligence community will be equally difficult. Nonetheless, such collaboration is a required step for developing a robust international agenda worthy of its name.

In their 1973 seminal work, Professors McDougal, Lasswell, and Reisman, provocatively concluded that the “gathering of intelligence within the territorial confines of another states is NOT, in and of itself, contrary to international law unless it contravenes policies of the world constitutive process affording support to protected features of internal public order.” far, few have ventured in their footsteps, seeking to define what those “policies” and “features” might be. A new international agenda for intelligence is one that seeks to constrain the most destructive elements of the trade while solidifying its core functions. If the SolarWinds hack moves U.S. policy on intelligence in that direction, it may prove a blessing in disguise.

 

Editor’s note: Readers may also be interested in Michael Schmitt’s Top Expert Backgrounder: Russia’s SolarWinds Operation and International Law.

Image Credit: Getty Images/MR.Cole_Photographer

 

About the Author(s)

Asaf Lubin

Dr. Asaf Lubin is an Associate Professor of Law at Indiana University Maurer School of Law and a Fellow at IU’s Center for Applied Cybersecurity Research (CACR). He is also an affiliated fellow at Yale Law School’s Information Society Project, a Faculty Associate at the Berkman Klein Center for Internet and Society at Harvard University, and a visiting Scholar at the Hebrew University of Jerusalem Federmann Cyber Security Research Center. Follow him on Twitter (@AsafLubin).