On July 9, President Biden renewed the warning to President Putin that he had delivered at their June meeting in Geneva. In the phone call, he “underscored the need for Russia to take action to disrupt ransomware groups operating on Russian territory,” and “reiterated that the United States will take necessary action to defend its people and its critical infrastructure in the face of this continuing challenge.”
In an exchange with reporters the same day, he left no doubt as to his intentions:
Q Does it make sense to attack the servers that are used to carry out these ransom attacks in Russia?
THE PRESIDENT: To attack them?
Q Well —
THE PRESIDENT: Well, what happened was there was one company that got — I mean, they weren’t specifically attacking servers; they were attacking businesses.
Q I mean the U.S. response. Up until now, the U.S. response has been to exercise sanctions — impose sanctions on Russia for this malign activity. Does it make sense for the U.S. to take it up a notch and attack the actual servers that are used?
THE PRESIDENT: Yes.
Unsurprisingly, the United States has decided that robust cyber operations may be necessary to deter hostile cyber operations. A series of high visibility cyber operations by Russia or from Russian territory – including the SolarWinds, Colonial Pipeline, REvil, and Republican National Committee operations – have accented the need to adopt a more aggressive approach than has been taken in the past. After all, law enforcement action and acts of retorsion like sanctions have been woefully unsuccessful in convincing Russia to comply with its international law obligations.
Even lawyers at U.S. Cyber Command are now openly, albeit unofficially, arguing that the law enforcement response paradigm is not up to the task of protecting American assets. They are correct, and the U.S. government agrees, as evidenced by the President’s saber-rattling. But the problem is not an exclusively American one, nor is Russia the sole troublemaker (see here and here for recent hostile cyber operations). The problem of hostile cyber operations is now globally endemic.
But for states committed to the rule of law, the normative architecture must accommodate any desired response option. The discussion of how international law governs cyberspace has advanced dramatically since the days when that domain was characterized as a wild west where anything goes. Failure to act in a manner consistent with the applicable international law, and to justify and condemn cyber operations on that basis as appropriate, would be a major step backwards in fostering stability and security to cyberspace.
Express endorsement of three legal policy positions would go far in ensuring the door to effective cyber responses is open, that they fit comfortably within a lawful framework, and that other states are on notice of the U.S. views on these important legal policy issues. They are:
- Sovereignty is a rule of international law.
- States must exercise due diligence to terminate hostile cyber operations from their territory.
- States may engage in collective countermeasures.
In this post, I will explain why adoption of these three positions would operate synergistically to provide the optimal legal framework for responding as President Biden has suggested, not only to deter and respond to hostile cyber operations into the United States but also those targeting U.S. allies and partners.
Since 2018, an unfortunate debate has been underway over whether there is an international law rule requiring states to respect the sovereignty of other states. In that year, the UK Attorney General opined that no such rule existed. Every other country that has spoken directly to the issue since then has taken, and correctly so, the opposite view. They include NATO allies such as France, the Netherlands, and Germany, as well as partners like Japan and “Five Eyes” state New Zealand. Even NATO doctrine acknowledges a sovereignty rule (although the UK reserved on that point). Despite this overwhelming trend towards embracing sovereignty as a rule of international law, important cyber actors like Australia and the United States have not publicly taken a firm position on the matter.
Problematically, discussion over the rule’s existence has undermined the indispensable exchange that states should be having over the criteria by which remotely conducted cyber operations are to be judged when assessing whether they violate the target state’s sovereignty. In broad terms, sovereignty may be violated in two ways. Both require that the operation in question be attributable to another state, for instance, because organs of the state conducted it, or it was mounted by non-state actors operating pursuant to the instructions or effective control of another state (Arts. 4 and 8 of the Articles on State Responsibility).
First, cyber activity that causes effects on another state’s territory can violate sovereignty (Tallinn Manual 2.0, Rule 4). This is so irrespective of whether that damage is to private or government cyber infrastructure. The unresolved question is which cyber operations do so, beyond obvious cases like those that physically damage the targeted cyber infrastructure or systems that rely upon it. Possibilities range from causing systems to permanently lose functionality to merely generating effects upon a state’s territory, as with making them operate improperly (see Tallinn Manual 2.0, Rule 4 commentary; French position, p. 7). There is widespread agreement, however, that espionage, as such, does not breach the sovereignty of the target state (see Tallinn Manual 2.0, Rule 32).
Second, sovereignty may be violated when a cyber operation attributable to one state interferes with, or usurps, inherently governmental functions of another state (Tallinn Manual 2.0, Rule 4). Two paradigmatic examples are interference with the conduct of an election and conducting law enforcement operations such as searches by remote means on another state’s territory. Here too, ambiguity exists. For example, the line between interfering in another state’s elections by cyber means and merely influencing those elections, which is not a violation of international law, is indistinct. The discussion states should be having about these two bases for breach of the sovereignty rule is where to draw these lines in difficult cases.
Acknowledging a rule of sovereignty is essential to deterring and responding to hostile cyber operations. Despite its vagueness, it is the rule most likely to be violated by remotely conducted cyber operations. Other rules, such as the prohibition on intervention into other states’ internal or external affairs or that prohibiting the use of force often have a high threshold for breach (Tallinn Manual 2.0, Rules 66 and 68). For instance, the former requires that the cyber operation in question be “coercive” in nature, and the latter is limited to those causing relatively significant harm to the targeted state.
Being able to claim a violation of sovereignty has two benefits. First, it allows the so-called “injured state” to name and shame the “responsible state” for violating international law, not just for misbehaving. That even states which chronically engage in destabilizing behavior seek to avoid being labeled a lawbreaker is evident from the extent to which they seek to justify their actions in the narrative of international law, as in the case of Russia’s unlawful attempted annexation of Crimea. It is also apparent in their frequent claims that they are not responsible for the actions in question, as with Putin’s denials of Russian involvement in hostile cyber operations.
More important with respect to President Biden’s warnings is the fact that countermeasures may only be taken in the face of breaches of international law that are legally attributable to another state (ASR, art. 49). Countermeasures are actions that would be unlawful but for the fact that they are designed to respond to the unlawful action of another state and either put an end to that activity or secure reparations for harm suffered; notably, they may not be motivated solely by a desire to seek retribution. Among other limitations, countermeasures must also be proportionate in the sense that there has to be a rough equivalence between the harm being suffered by the injured state and that caused to the responsible state (ASR, art. 51).
Countermeasures need not be directed at the cyberinfrastructure used to conduct the hostile cyber operation or even the entity that mounted it. This is an essential point as it permits cyber responses against cyber infrastructure other than that used to conduct the hostile cyber operation. For instance, if a state intelligence agency conducts an unlawful operation, its systems are more likely to be hardened against cyber responses than other cyber infrastructure in the country, such as that in the private sector. So long as proportionate and compliant with the other conditions on the taking of countermeasures, a response against that private cyberinfrastructure to compel the responsible state to desist or provide reparations would be permissible.
Those who oppose the existence of a rule of sovereignty sometimes point out that in the absence of such a rule, an in-kind cyber response to a hostile cyber operation would not need to be justified as a countermeasure to be lawful. This is because there would be no rule of sovereignty rendering unlawful the cyber operation to which it responds.
The argument is flawed on two counts. First, failure to characterize the hostile cyber operation as a breach of sovereignty or other international law rule would forfeit the opportunity to take measures other than retorsion or an in-kind cyber response. In this regard, it is crucial to understand that countermeasures need not be conducted in the same domain as the underlying unlawful act. For instance, an unlawful cyber operation may be responded to by a non-cyber countermeasure, such as closure of the territorial sea to innocent passage or denial of access to airspace provided for in a bilateral treaty. However, if the hostile cyber operation is not a violation of sovereignty or other rule of international law, any such response could not qualify as a countermeasure; it would be unlawful.
This is particularly important for states that lack the capacity to effectively respond by cyber means. Facing hostile cyber operations with no rule of sovereignty to breach, those states would be legally limited to acts of retorsion and factually unable to mount a meaningful in-kind cyber response. This reality, in part, explains why many states embrace sovereignty. To reject the existence of the rule is to take potentially effective non-cyber response options off the table.
Second, although a responding state that rejects a rule of sovereignty might not see itself as operating in contravention of international law, other states that accept the rule might consider its response unlawful (barring a “circumstance precluding wrongfulness,” ASR, Ch. V). Take the case of the recent ransomware attacks. It is unclear that all ransomware attacks amount to violations of sovereignty since they are, in theory, temporary. Or consider a ransomware attack conducted by a non-state actor. Such operations do not (without more) constitute internationally wrongful acts since the element of attribution to a state is lacking. (ASR, Art. 2)
Now imagine a state that does not accept a rule of sovereignty responding by permanently taking down the cyber infrastructure used to conduct the hostile cyber operation. It believes it is acting lawfully because there is no rule of sovereignty to violate. But in the two examples, other states may characterize the response as unlawful on the basis that the responding state’s response violates the sovereignty of the state into which it is conducted and cannot be justified as a countermeasure since it is not responding to an internationally wrongful act.
States considering whether to acknowledge a rule of sovereignty should bear in mind that the precise threshold at which a remotely conducted cyber operation breaches the sovereignty of the state into which it is undertaken remains unsettled. This leaves states acting in good faith free to adopt an interpretation of the breach threshold that reflects their national interests. So long as consistent with the object and purpose of the rule, it is appropriate for them to advance an interpretation of the sovereignty rule that balances the extent to which it on the one hand deters other states’ hostile cyber operations and on the other limits their options when deciding how to respond.
The Biden administration should publicly state that the U.S. government considers sovereignty a rule of international law that is capable of being breached, and if possible, provide further contours regarding the thresholds for, or types of situations in which, such a breach occurs. It would be in good company and would put most potential future countermeasures in response to claimed sovereignty violations on solid legal footing,
Some states and commentators are concerned that the sovereignty rule could bar cyber responses into states to which the hostile cyber operations may not be attributed under the law of state responsibility, or for which insufficient evidence of attribution exists. The concern is that responding to hostile cyber operations without the territorial state’s consent would risk being seen as a violation of that state’s sovereignty if such a rule exists.
Due diligence provides the remedy in many situations (Tallinn Manual 2.0, Rules 6 and 7). As applied in the cyber context, that rule requires a territorial state to take feasible measures to terminate ongoing hostile cyber operations mounted from its territory (or remotely through cyberinfrastructure thereon) that are causing serious adverse consequences for another state’s legal right. The Tallinn Manual 2.0 International Group of Experts concluded that such a rule existed in the cyber context, and most states that have spoken directly to the issue concur (important recent examples being Germany and Japan). However, the 2013, 2015, and 2021 UN Group of Governmental Experts (GGE) reports characterized due diligence as a so-called “voluntary, non-binding norm of responsible state behavior” rather than a binding rule of international law (see discussion here). This was not based on agreement that due diligence was not an international law rule, but rather the inability to secure the requisite consensus that it enjoyed that status among all the participating states; in other words, they left the question open.
The better view is that it is a rule of international law (see also here and here). Failure to recognize it as such is sometimes the product of misunderstanding as to both its limited nature and its utility in providing a legal basis for dealing with hostile cyber operations. With respect to the former, the rule does not require states to take preventive action, such as monitoring its cyberspace. Moreover, it only applies when the hostile cyber operation implicates an international legal interest of the target state, such as respect for its sovereignty, and even then, only when the consequences are substantial. In other words, the obligation extends no further than what responsible members of the international community should be doing already to comply with the voluntary norm acknowledged three times by the GGEs in reports that the General Assembly has endorsed.
This rule also has positive benefits (a forthcoming Lawfare post by Eric Jensen will elaborate on this point). It obligates states to take feasible measures to ensure that they are not knowingly allowing their territory to serve as a base of hostile cyber operations and opens the door to countermeasures against those that do not. Such countermeasures may take the form of cyber operations directly against the third party conducting the hostile cyber operations or against the territorial state itself to compel it to comply with its due diligence obligation. Only when the territorial state is doing what it reasonably can in the circumstances to terminate the hostile cyber operations would that door not be open.
Of particular importance is the availability of the remedy when non-state actors operate independently from or through another state’s territory, or the facts necessary to establish attribution to that state cannot be marshalled. Since it is the territorial state that shoulders the due diligence obligation, the attribution requirement does not frustrate the taking of countermeasures.
It must be cautioned that the rule does not apply to cyber operations unless they implicate the legal rights of other states. Therefore, the rule of sovereignty is critical in the due diligence context. As noted above, the international law most likely to be breached by hostile cyber operations is sovereignty. Absent that rule, the due diligence obligation would apply only rarely.
In this regard, it is occasionally suggested that the rule should apply even when the hostile operation does not implicate a rule of international law, that seriousness of consequences should be the sole criterion; the President’s warning seems to read that way at surface level. Yet, if that was the law, the territorial state would be legally obligated to terminate hostile cyber operations by other states or non-state actors that it could itself lawfully conduct against the injured state. That would make no sense. Thus, the Tallinn Manual 2.0 International Group of Experts concluded that while the duty extends to cyber operations by non-state actors, the rule encompassed only those operations that would be unlawful had they been conducted by the territorial state.
As with the rule of sovereignty, the Biden administration should acknowledge that due diligence is a rule of international law. It should not, however, assert that it contains requirements beyond those outlined above, lest opposition from states that remain wary of the rule result. Absent a rule of due diligence, the U.S. would often lack the legal basis for effectively responding to hostile cyber operations of non-state actors or in cases where attribution to a state proves difficult to reliably establish.
This leads to a third rule of international law that can provide the legal basis for effective deterring and, should deterrence fail, responding to hostile cyber operations. Even if both rules are accepted, many targeted states will lack the practical wherewithal to respond effectively. For instance, they may lack the means to conduct robust cyber operations beyond their borders or have no ability to otherwise pressure a responsible state to desist in its operations or terminate those from its territory with other lawful countermeasures outside of the cyber domain.
This raises the issue of whether other states may come to their assistance in conducting countermeasures. Few states have addressed the topic head-on, but it is being actively discussed behind the scenes, particularly in regional settings like NATO, where France has spoken disapprovingly of collective countermeasures and Estonia supports them (France; Estonia).
Professor Sean Watts and I have recently analyzed this issue in some depth. We observed that “whether states may collectively conduct … countermeasures remains unsettled” among states. However, our conclusion was that
collective cyber countermeasures on behalf of injured states, and by extension support to countermeasures of the injured state, are lawful. We have illustrated that no clear prohibition on collective countermeasures has crystallized to unequivocally preclude a state position, such as the one Estonia took. Instead, the broad vector of international law has been in the direction of the collectivist approach since the last century; there is no reason to suspect that it will change course significantly. Moreover, the unique nature of cyberspace suggests a need for greater tolerance of countermeasures. It appears that states are generally in accord with this premise. Finally, the object and purpose of the rule of countermeasures, when considered in the cyber context, supports an interpretation of countermeasures that allows them to be mounted collectively.
By adopting this position, states would go far in responding to the reality that cyberspace is an interdependent domain, one in which cyber operations into a single country can have global implications. An interpretation of the law that precludes collective action in the face of unlawful cyber operations would leave many states de facto defenseless in the face of hostile cyber operations. And it would mean that even when assisting the victim state in applying countermeasures would enhance international stability, cyber-capable states be left with only retorsion, which may not be robust enough to have the desired impacts in the face of destabilizing cyber operations by malicious actors.
The Biden administration should take the position that collective countermeasures are lawful. Doing so would be consistent with the administration’s return to the international arena and its professed commitment to its allies and partners. Those states may need U.S. assistance when facing powerful adversaries in cyberspace and it will often be in the U.S. national assistance to provide that assistance. In particular, the availability of collective countermeasures would have a strong deterrent effect, while their absence represents an open door to hostile cyber operations against states that cannot respond effectively on their own.
The three rules discussed above remain the subject of disagreement, to varying degrees, among states, practitioners, and scholars. Acknowledging the rule of sovereignty enjoys the broadest backing, due diligence is capturing growing support, and collective countermeasures continue to be a subject of normative uncertainty.
In my estimation, both individual states and the broader international community would do well to embrace all three. As has been explained, they operate synergistically, with one rule compensating for legal or practical deficiencies in the others. Wise states will treat them as a package deal that will measurably enhance their ability to respond to hostile cyber operations against themselves and their partners.
Finally, returning to the President’s warnings, if the administration is serious about responding to hostile cyber operations emanating from Russia but that cannot be attributed directly to the Russian state, it would be wise to publicly articulate its embrace of these rules so that its intentions are understood and countermeasures it might take in response to hostile cyber operations will be on solid legal footing.