It’s (belatedly) official—ransomware is a national security problem. Recognizing the strategic threat shadowy criminal organizations (often with loose or cryptic affiliations to nation-states) now pose to critical infrastructure, the economy, and basic public services, President Biden made clear last month that the United States will no longer view the growing scourge of criminal ransomware attacks solely through the limited prism of law enforcement. As evidenced by the White House’s establishment of a multi-agency ransomware task force, it is a national security threat that requires decisive, coordinated action leveraging all elements of national power. So, President Biden’s most recent warning to President Putin during a July 9th phone call seems straightforward: take care of the ransomware problem emanating from Russia or the United States will.
As Jack Goldsmith points out here, this is not the first time Biden or his predecessors have issued stern warnings to Putin about Russian cyber threats. Legitimate concerns over drawing unenforced redlines aside, what is different this time is that the cyber operations the U.S. expects Putin to put a stop to are not directly attributable to the Russian state. Rather, they are the work of Russian criminals, and Biden considers cyber operations against their infrastructure to be part of the self-help toolkit on the table should Russia fail to take action. Specifically, during his call with Putin, Biden told him that the United States would “take any necessary action to defend its people and its critical infrastructure in the face of this continuing challenge,” and when reporters asked whether those actions might include cyber operations against the infrastructure behind the attacks, his answer was a succinct “Yes.”
This forward-leaning position is a stark reminder that if necessity is the mother of invention, it is the grand matriarch of state behavior and the primary driver for the adoption and evolution (or lack thereof) of international law and norms. The need to proactively disrupt these ransomware attacks grows more compelling with each episode. Even the New York Times Editorial Board understands the strategic imperatives at play, describing the ransomware problem, even if a bit hyperbolically, as “a war that needs to be fought, and won.” As my former Cyber Command teammates deftly articulated here, as a matter of domestic law and policy, bringing the Department of Defense’s substantial capability and capacity to bear on this problem as part of the solution is a sound and necessary choice.
This leaves the issue of the United States’ obligations under international law and its views on how they would apply to the cyber operations implicated in Biden’s threat. What can we draw from his apparent decision to embrace, at least as an option, cyber operations targeting for disruption the overseas infrastructure of non-state criminal organizations? Does it signal an evolving U.S. position on the unsettled debate over the purported rule of cyber due diligence? That is, does the United States now consider Russia (and presumably other states in whose territory ransomware infrastructure resides) legally accountable, directly or indirectly, for the actions of non-state criminal organizations? Or does it reflect an assessment, consistent with at least the United Kingdom’s view (and that of the U.S. Department of Defense), that the principle of sovereignty does not present a legal barrier to conducting certain counter-ransomware operations?
In a characteristically thorough and thoughtful post here, Professor Michael Schmitt urges the United States to affirmatively weigh in on these legal-policy questions, as well as the issue of whether states can engage in collective countermeasures. Acknowledging the magnitude of the ransomware problem and the fact that the law enforcement response paradigm alone has proved inadequate, Schmitt recognizes the need to adopt “a more aggressive approach than has been taken in the past.” He suggests that for the counter-ransomware operations Biden has referenced to “fit comfortably within a legal framework,” the United States should expressly endorse three interdependent legal positions; to wit, that: “1) Sovereignty is a rule of international law; 2) States must exercise due diligence to terminate hostile cyber operations from their territory; and 3) States may engage in collective countermeasures.” According to Schmitt, embracing these positions would “operate synergistically to provide the optimal legal framework for responding as President Biden has suggested, not only to deter and respond to hostile cyber operations into the United States but also those targeting U.S. allies and partners.”
At one level, Schmitt is correct. If the rules he advocates for are to provide even a modicum of the security benefit he suggests, they must be adopted together as they are mutually dependent, at least with respect to sovereignty and due diligence. Unfortunately, his arguments in favor of those two rules are grounded in several flawed premises that undermine his conclusions about the efficacy of his recommendations. Endorsing the positions on sovereignty and due diligence set out in Schmitt’s post would unduly constrain the United States’ ability to more proactively counter ransomware and other cyber threats.
The Unsettled State of International Law
The questions of whether, and if so how, international law applies to state interactions in the cyber domain have been the subject of rich debate for years. At this point, the answer to the first question is effectively settled—international law applies to states’ activities conducted in and through cyberspace. The United States has long been at the lead on taking this position and is committed to respecting its international legal obligations in the conduct of cyber operations.
However, the answer to the second question has proved far more challenging. After years of negotiation, the UN Group of Governmental Experts (GGE) and Open Ended Working Group (OEWG), the only two official, multi-state bodies to address the question, have been able to reach consensus only on a handful of basic precepts. Similarly, the growing number of official state pronouncements that have come out in the last several years have demonstrated as much divergence as convergence of views. On certain points there is wide agreement among those states that have weighed in, such as the view that cyber operations are subject to the jus ad bellum and the jus in bello when conducted as part of an armed conflict. In contrast, states have offered a spectrum of views about sovereignty and due diligence, with consensus proving elusive.
This should be unsurprising, because as Israel’s Deputy Attorney General Roy Schöndorf has noted, the unique, nascent, and evolving nature of the domain calls for “an extra layer of caution . . . in determining how exactly international legal rules apply to cyber operations, and in evaluating whether and how additional rules should be developed.” While the U.S. has taken a lead role in advocating international law’s applicability to the cyber realm, for many of the reasons Schöndorf cited it has proceeded prudently on the question of how international law applies.
The United States has offered some glimpse into its approach to the multi-faceted question of the normative status and contours of sovereignty (here, here, and here), which is markedly different from the position Schmitt advocates it adopt; insofar as, for example, the Department of Defense has stated its solidarity with the United Kingdom’s view that there is insufficient evidence of the existence of a customary international law rule of sovereignty that would “generally prohibit[] . . . non-consensual cyber operations in another State’s territory.” The U.S.’s view on due diligence is more opaque, with many believing that it remains unconvinced it is a rule of international law applicable in the cyber context. Greater transparency on these issues is no doubt important to shaping how customary international law might influence state cyber interactions going forward, but that is distinct from the precedent question of what the substance of the U.S. position should be on these open questions. As Schmitt acknowledges, these are unsettled areas. However, the United States need not wade precipitously into these debates in the ways he suggests.
The False Prophet of Countermeasures
Countermeasures are sub-use-of-force actions that alone would be unlawful but for the fact they are taken in response to the internationally wrongful act of another state and are specifically aimed at inducing that state to return to compliance or pay reparations. Regarding the specific question of collective countermeasures, Schmitt is correct. As Eric Talbot Jensen and I wrote in 2018, and Schmitt and Sean Watts have set out more recently, aside from resting on a weak legal foundation, the view that states cannot deploy countermeasures in collective aid of other states is anachronistic and maladapted to today’s security environment. It is for this reason that Estonia was correct in eschewing this artificial constraint on collective action. More cooperation with partners and allies is certainly a key component to the U.S.’s overall cyber strategy, and to the extent countermeasures might prove useful as a tool of compellence in a given situation, there is no sound reason why they should be limited to unilateral employment.
However, while partner operations may prove beneficial at times, there is no indication that the U.S. needs to or will rely primarily on others to deliver the disruptive cyber effects Biden alluded to. They would presumably be U.S.-conducted operations.
Moreover, depending on which state or academic you ask, the law of countermeasures suffers from several other equally disabling constraints, rendering them far less useful as a self-help security tool, at least in the context of cyber, than Schmitt suggests. For example, there is a general view that countermeasures cannot be employed anticipatorily, substantially limiting their effectiveness as a means of proactively countering and disrupting cyber threats that have yet to fully manifest. Efforts to force another state to stop, or put a stop to, malicious cyber operations may at times be the last best option, but it is an ex post, not an ex ante approach, where the harms will have already manifested and the adversary’s objectives likely achieved.
Also, countermeasures are available only against states, not non-state actors or criminal organizations. So, for countermeasures to have any bite against the ransomware problem, the United States would also have to endorse the due diligence rule, and even then, their availability would be limited for the reasons laid out below. This overstatement of the utility of countermeasures is one of several factors undermining Schmitt’s arguments that endorsing the three positions he adopts is the “optimal legal framework for countering ransomware attacks.”
Due Diligence – Raising the Tide or Creating False Expectations
As the adage goes, a rising tide lifts all boats. In this sense, getting states to better police their respective corners of cyberspace is a laudable goal and holds some potential to contribute to a more stable and secure internet. The UNGGE has consistently said states should aspire to do so, noting that they “should not knowingly allow their territory to be used for internationally wrongful acts using [information and telecommunications technologies].” Biden’s admonition to Putin seems grounded in this same view, although his demand arguably goes further (non-state actors cannot commit internationally wrongful acts). However, whether Russia or any other states bear a legal obligation to thwart criminal ransomware activities emanating from their territories is a very different and unsettled question.
In broad terms, the ostensible international obligation of cyber due diligence requires states to take feasible measures to try to put a stop to ongoing malicious cyber activities, at least of a certain magnitude, that it knows (or reasonably should know) are being conducted from or through their territories, including by non-state actors. On its face, this sounds beneficial and reasonable enough. However, as with the principle of sovereignty, the applicability and scope of the due diligence rule to cyberspace is hardly a settled issue and for good cause.
While a handful of states have endorsed the view that due diligence is a general rule of international law with particularized applicability to cyberspace, others specifically disagree, and as Schmitt acknowledges and Professors Sean Watts and Eric Jensen document in an excellent discussion of the contours of the debate, there is insufficient evidence at this time to assert that any cyber-specific rule of due diligence exists as a matter of customary international law. Given the unique attributes of cyberspace, it is, as Israel points out, with good reason that the UNGGE has repeatedly confined the concept of due diligence to a voluntary, non-binding norm.
According to Schmitt, failure to endorse due diligence as a binding rule of international law will effectively leave the United States without the legal basis to respond “to hostile cyber operations of non-state actors or in cases where attribution to a state proves difficult to reliably establish.” This warning is true in so far as by “respond” Schmitt is specifically referring to countermeasures. But advancing due diligence as an end run solution to the (increasingly less) difficult problem of attribution is grounded on a number of faulty premises, starting with the interdependent need to adopt the Tallinn 2.0 view of sovereignty as a rule of international law that would otherwise bar a range of non-consensual, self-help counter-cyber (not countermeasures) options.
Among proponents of cyber due diligence, there is a wide variance of views as to the purported rule’s scope. Some argue that for the rule to have any real effect, it should include an obligation to both monitor domestic cyber infrastructure and prevent a broad array of transboundary cyber harms. A preventive obligation does find support in the specific context of international environmental law where international tribunals have invoked due diligence to establish state responsibility. However, mapping such an aggressive version of due diligence to the unique cyber context raises serious concerns about the potential impacts on human rights such as privacy and free speech. It would also place an unreasonable expectation on states and substantially broaden their exposure to claims of breach and the attendant, potentially escalatory consequence of countermeasures. As Watts and Jensen rightly caution, “by presenting more opportunities for more States to allege more breaches of international law, due diligence potentially increases the frequency of States’ resort to countermeasures and their accompanying potentially destabilizing effects.”
Those who advocate for the cyber due diligence rule respond to these concerns by asserting that it does (or should) not include a duty to prevent harmful activities. That was the position the Tallinn 2.0 contributors took. While this caveat may lessen overall risks to privacy and potential conflicts with human rights obligations, it also substantially waters down the value of the due diligence rule as a means of tamping down malicious cyber activity.
According to the Tallinn Manual 2.0 approach, which Schmitt advocates for, cyber due diligence does not include a duty to monitor and prevent; rather it is triggered only upon actual or constructive knowledge of the ongoing harms. Where that knowledge would derive from presents several challenges. For example, victim states may often be placed effectively in a Hobson’s choice of having to compromise sensitive sources and methods in order to put the other state on sufficient notice. Further, once triggered, the obligation is only one of feasibility, and even then, it is a rule of conduct, not consequence. That is, if it is infeasible for a particular state to identify the source of or take effective action to stop harmful non-state actor cyber activity emanating from within its borders, it has not breached its obligation of due diligence. Even if it takes responsive measures, so long as they are reasonable—very much a function of each state’s specific capacity and capabilities, or lack thereof—it matters not that they are ineffective. Finally, as Schmitt notes, cyber due diligence only applies where the transboundary harm would amount to a breach of international law if committed by the territorial state, and the consequences of the harm are substantial.
Setting aside the subjective and indeterminate meaning of “substantial,” and the wide swath of harmful activity that would fall below this threshold, it is an overstatement to suggest that when it comes to policing non-state actors, an assertion of a breach of cyber due diligence would open the door to countermeasures against non-state, criminal actors. First, unlike non-state actors, states operate with the benefit of public authority, which means many of the cyber-enabled harms criminals inflict would not amount to breaches of international law if committed by the territorial state, even if one accepts the Tallinn 2.0 asserted rule of sovereignty (for example, non-state actors and cyber criminals often employ the same or similar tools and techniques as those used by states in the conduct of espionage, which is not prohibited by international law). As such, cyber due diligence would not obligate the territorial state to intervene. Second, given that the limited purpose of countermeasures is to induce a breaching state to return to compliance, it is far from clear how taking direct action against a criminal organization’s infrastructure would have any coercive effect on the territorial state itself. Given that criminal infrastructure is almost always distributed globally, these deficiencies are replicated exponentially.
This is not to say that calls to embrace a cyber-specific rule of due diligence in and of itself are wholly without merit. Broad adoption of cyber due diligence as a rule of customary international law might increase pressure on states to improve overall cybersecurity within their respective borders, which would be a net positive. However, doing so at this time would not offer the security benefits (ready access to countermeasures) Schmitt suggests. As Watts and Jensen note, “[t]he lack of a duty to prevent or even monitor, coupled with [the] high threshold of harm and absolute requirement of knowledge, suggests a minimally intrusive notion of due diligence applicable to cyberspace.” In other words, the times when state inaction, even in the face of actual knowledge of transboundary harms emanating from within a state’s territory, would be internationally wrongful, would be exceedingly narrow to the point of being nearly useless. Therefore, tying the ability to counter these harms to first establishing a breach of cyber due diligence would be counterproductive. It would further incentivize bad actors to forum shop the situs of their infrastructure and operations to states actually or ostensibly lacking the capability or capacity to effectively disrupt them while opening law abiding states like the United States to another line of lawfare attack. Finally, the very limited value the cyber due diligence rule might offer is, as Schmitt acknowledges, dependent on also adopting the Tallinn Manual 2.0 rule of sovereignty, which would be ill-advised at this time.
The Purported Rule of Sovereignty – Be Careful What You Bargain For
The debate over the normative status and contours of sovereignty in international law is long running, remains unsettled, and need not be relitigated here. As Schmitt points out, a growing number of states have offered their views on the subject, some more concrete than others. Artificial scorecards notwithstanding, these views are varied and often caveated. As Jack Goldsmith and Alex Loomis point out here, claims about the customary international law status of the purported rule and what it proscribes are overstated and inconsistent with state practice.
It is true that the United States has not completely shown its cards on the sovereignty question, but neither has it played them overly close to the vest. All indications are that the United States is not rushing to adopt the Tallinn Manual 2.0, Rule 4 approach for which Schmitt advocates. Nevertheless, he urges it to do so on two grounds: enhanced deterrence and greater compellence (i.e., availability of countermeasures). I’ll turn briefly to the former here, and address the latter below.
In a word, there is little evidence that international law, in and of itself, serves as an effective tool of deterrence. At risk of stating the obvious, inherent in a rules-based international order is the existence of rules, and many states find it advantageous to interact within such a system. Building on and reinforcing the rules-based order is and should be a U.S. goal. But it is not the threat of punishment, let alone shaming, that attracts states into the rule-of-law fold. It is the stability and predictability the system offers, and the broader benefits of operating within a generally cooperative community of states. However, for states like Russia that eschew the rules-based order, their compliance with international law is often in the breach and based on a risk calculation that the actual cost of non-compliance will outweigh their perceived benefit of breach.
One need look no further than Russia’s repeated violations in its near abroad of the UN Charter’s use of force prohibition, and contrast this with its calibrated efforts to not trip that threshold with its cyber operations against the U.S. and NATO allies. It is not the normative value of the jus ad bellum that matters to Russia, it is the fact that Article 2(4) effectively stands in as a redline for consequential retaliatory force in self-defense; a risk Russia is ill-concerned with when dealing with Ukraine or Georgia.
To believe that Russia and the other progenitors and enablers of ransomware attacks and other malicious cyber operations will be at all deterred by the mere declaration that they are international law breakers is quite unrealistic. Schmitt’s oft-repeated assertion that declaring cross-border cyber operations to be violations of a rule of sovereignty would “allow[] the so-called ‘injured state’ to name and shame the ‘responsible state’ for violating international law” ignores the now substantial body of evidence that naming and shaming has had little to no deterrent effect. It also ignores the unique strategic characteristics of the cyber domain that time and effort have shown to be unamenable to traditional deterrence theories. Throwing the patina of an accusation of a sovereignty violation is unlikely to alter this reality, especially in light of what Schmitt acknowledges is a vague standard. His odd citation to Russia’s annexation of Crimea is illustrative. Obviously, international law did not even serve as a speed bump to this blatantly unlawful and roundly condemned action, notwithstanding Russia’s dissembling, post-hoc efforts at engaging in lawfare.
Endorsing sovereignty as a rule, certainly as expressed in Rule 4, will not offer the security benefits Schmitt suggests, but will certainly self-limit counter-cyber options without appreciably constraining adversary actions. That portends a return to the policy of restraint that prevailed, and failed, prior to 2018.
Mixing Apples and Oranges: Disruption vs. Deterrence and Compellence
How the United States should approach these unsettled legal-policy questions is no small matter, but they do not present themselves in a vacuum. To avoid consequential problem-solution mismatches, arguments for or against resolving these questions in any specific way must take account of the strategic context and security imperatives on which they bear.
Schmitt maintains that his recommended endorsements would provide the optimal legal framework to “deter and respond” not just to criminal ransomware but to hostile cyber operations generally. And why not? Deterrence is the cowbell that everyone reflexively wants more of. But as others have demonstrated and I discuss here, traditional deterrence concepts are ill-fitted to the cyber context and have proved largely ineffective. Further, to the extent deterrence can play some positive role in the cyber context, international law’s efficacy in achieving deterrence is uncertain at best.
Schmitt is right to distinguish between deterrence and response, although more precision is needed in his use of the latter term to fully evaluate the policy benefit of his recommendations. Other than measures of benefit denial, deterrence involves only the credible threat of punishment designed to discourage an adversary from taking unwanted action. In contrast, compellence aims to induce an adversary to change its behavior, either by taking, ceasing or undoing a specific action. When Schmitt speaks of response, he appears to do so in the sense of compellence in as much as he links response directly to the international law concept of countermeasures.
As a means of coerced inducement, countermeasures can play a useful role in compellence when appropriate, but they are far from a legal or security panacea. As discussed above, they are subject to several strictures that limit their utility in the cyber context. In addition, those on the countermeasures bandwagon often ignore the escalation dynamics of invoking countermeasures to justify otherwise internationally wrongful, cross-domain compellence measures.
However, the primary point of cyber operations aimed at disrupting anticipated and on-going threats, such as taking down criminals’ ransomware infrastructure, is not to deter or compel adversaries. Although the lines are not always pristine, deterrence and compellence should be distinguished from active defensive operations aimed at countering ongoing hostile cyber threats which is what is immediately needed and what Biden was seemingly referring to. As I noted before with respect to the Department of Defense’s concept of defend forward:
The limits of deterrence [and compellence] in the cyber realm are similar to other strategic threats such as terrorism and espionage, where the ability to deter adversary actions is limited or ineffective. Defend forward is meant to proactively contest, disrupt and degrade cyber aggression at or as close as practicable to its source before it reaches U.S., allied and partner networks. It takes as a given adversary persistence and entrenched will and is, therefore, aimed principally at disruption, not dissuasion.
Not only does Schmitt misconstrue the strategic context and purpose of counter-cyber operations, but a major flaw in his argument is also that it tethers U.S. counter-cyber options to a self-declaration that an unspecified swath of those options are otherwise unlawful as violations of sovereignty and therefore presumptively unavailable unless they can be justified as countermeasures. This is wrong for several reasons. For one, compellence measures need not be limited to actions fitting within the encumbered box of countermeasures. For example, the oft-used tool of sanctions are lawful acts of retorsion (response actions that, while unfriendly, are not in violation of international law). Second, and for similar reasons, proactive defend forward, counter-cyber operations can also be conducted without first requiring legal justification. Of course, this latter point depends on one’s views on the normative status and scope of sovereignty. Adoption of Schmitt’s preferred rule would unduly constrain counter-cyber maneuver space.
Rather than create “optimal synergy,” adoption of Schmitt’s recommendations would once again cede initiative back to the aggressor states and adversaries in this space and constrain options to disrupt criminal ransomware activities. Quite simply, given the strategic dynamics of cyberspace, reliance on countermeasures is akin to constantly shooting behind a moving target and is unlikely to mitigate the adversary’s strategic gains or set security conditions in the U.S.’s favor. The U.S. would do well to bear in mind the hard-learned lessons about the dynamics of this unique strategic environment before prematurely adopting positions that will unduly limit its options.
Conclusion
Experience has shown that relying on deterrence to provide the security umbrella against cyber threats that is so sorely needed is a fool’s errand. Hope is not a method, and neither is returning to reactive restraint as a strategy to effectively counter these threats and set security conditions in the favor of law respecting states. As it has done in other domains, international law has an important role to play in setting some semblance of security and stability for a globally interconnected cyberspace. But the space is nascent and evolving, and states need to carefully assess whether and when foregoing the freedom of action through the adoption or advancement of specific international law rules will work to their individual and collective benefit. With regard to the ostensible rules of sovereignty and cyber due diligence, the United States should continue to let caution be the watchword of the day.