Over recent weeks, concern has been expressed that Russia might launch hostile cyber operations against the United States and other NATO members in parallel with a military campaign against Ukraine. That military campaign is now fully underway. This article examines how the feared Russian cyber operations would be characterized under international law and outlines the response options open to States targeted by them. The analysis is, among other things, a cautionary note to those who would too readily jump to describing such Russian operations as an “attack” that triggers the alliance’s collective self-defense mechanism. It is important to sort through the more likely scenarios of Russian-led activity below that threshold, as well as if that threshold is crossed. And it’s important to comprehend how the legal framework applies to Russian use of non-state actors to carry out such operations. All this and more in the analysis that follows.
A. Legal Character of the Cyber Operations
Three “internationally wrongful acts” (the international law term for an unlawful act or omission) loom large with respect to the possible Russian cyber operations. If Russia’s actions are unlawful it significantly alters the scope of measures that States can take in response.
The first and most likely possibility is that the operations would violate Russia’s obligation to respect the sovereignty of other States. Such a violation could occur if the Russian operations cause particular effects in the United States or other NATO States or interfere with their “inherently governmental functions” (Tallinn Manual 2.0, rule 4).
The precise effects that qualify as a violation of territorial sovereignty are unsettled. Of course, Russian cyber operations that cause physical damage or injury would qualify, as in the case of physical damage resulting from manipulating a critical cooling system of targeted equipment. However, the likelier effects of Russian cyber operations would be (temporary or permanent) loss of functionality of cyber systems or the manipulation or alteration of data. Most States would view a permanent loss of functionality as the equivalent of physical damage to the affected cyberinfrastructure or the systems that rely upon it. Below that threshold, consensus on the nature or severity of qualifying effects is lacking. France has gone furthest by suggesting that merely causing effects on French territory suffices for violation of its sovereignty. Wherever the line lies, it is clear that cyber operations against both public and private systems can amount to sovereignty violations on this basis.
Russia might also violate sovereignty based on its operations’ interference with inherently governmental functions. Elections and law enforcement are the paradigmatic examples, but national defense is also an inherently governmental function. Any Russian cyber operation targeting military capabilities or activities would qualify as a violation of sovereignty on this basis. For instance, a temporary denial of service operation that disrupted troop deployments would violate sovereignty. Arguably, this would be the case even if the interference occurred outside the United States, as with U.S. troop activities in Europe.
There is a fly in the ointment. In 2018, the United Kingdom stated that, at least in the cyber context, there is no rule of sovereignty, a position it reiterated in 2021. Despite these formal pronouncements, the UK Foreign, Commonwealth and Development Office criticized Russia’s cyber operations earlier this month for failing to respect Ukraine’s sovereignty. (See also UK statement classifying Russian cyber operations in 2018 as “flagrant violation of international law”). Every other State that has taken a firm position on the matter has disagreed; indeed, NATO’s most recent Allied Joint Doctrine for Cyberspace Operations (2020) characterizes sovereignty as a rule of international law (with the UK but not the US reserving). The United States has not released a definitive position on the matter, although a 2021 statement hinted at emerging support for the “sovereignty is a rule” stance.
A second possibility is that the Russian cyber operations would violate the prohibition on intervention into the internal or external affairs of the targeted State (Tallinn Manual 2.0, rule 66). As noted in the International Court of Justice’s Nicaragua judgment, intervention requires (1) “coercion” into (2) the targeted State’s “domaine réservé” (an area of activity left to States by international law). Reduced to basics, intervention involves forcing the target State to engage in activities or take decisions, or refrain from them, against its will. Russia could coerce by cyber means the target State’s ability to engage in the protected activity or overcome the State’s will regarding its protected policy choices and actions. It must be cautioned that merely influencing decision-making does not suffice.
As noted, the effect must be on the State’s domaine réservé. In this case, military and political decisions and activities would be the logical objectives of Russian cyber operations – and would meet the standard. For instance, a cyber operation that interfered significantly with planning and executing U.S. forward deployments into Europe would qualify. So too would cyber operations against the economy of a small NATO State of such severity as to de facto force it to vote in a particular manner in the North Atlantic Council. By contrast, cyber operations that merely generate domestic sentiment against U.S. or another State’s involvement in European security affairs would not rise to the level of intervention.
Use of Force
Hostile Russian cyber operations could also qualify as unlawful uses of force in violation of Article 2(4) of the UN Charter and customary international law (Tallinn Manual 2.0, rule 68). Cyber operations that cause significant physical damage or death targeting the United States or its NATO allies would be unlawful on this basis. Since such operations are unlikely, the question is whether non-destructive or non-injurious Russian cyber operations could nevertheless qualify as uses of force. It is important to caution that the qualification of a hostile cyber operation as a use of force simply means it is an internationally wrongful act. Whether a State may respond with its own use of force is a question of self-defense, discussed below.
States are increasingly taking the position that cyber operations may amount to uses of force based upon their “scale and effects” (see, e.g., statements in the 2021 GGE Compendium), a position that NATO has also taken. Those States that have spoken to the issue typically look at an array of factors when determining whether the requisite threshold of scale and effects has been reached. For instance, in 2021, Germany noted:
The determination of a cyber operation as having crossed the threshold of a prohibited use of force is a decision to be taken on a case-by-case basis. Based on the assessment of the scale and effects of the operation, the broader context of the situation and the significance of the malicious cyber operation will have to be taken into account. Qualitative criteria which may play a role in the assessment are, inter alia, the severity of the interference, the immediacy of its effects, the degree of intrusion into a foreign cyber infrastructure and the degree of organization and coordination of the malicious cyber operation.
Unfortunately, few States have offered examples of non-destructive or non-injurious cyber operations at the use of force level. Notably, however, Norway and France have indicated that large-scale cyber operations against their national economy would qualify; the Netherlands has also raised this prospect but has not taken a definitive position yet.
Aside 1: Russian Government and Non-State Actors
In addition to organs of the Russian State such as the GRU or FSB launching hostile cyber operations against other States, Russia has long turned to non-state groups such as the Internet Research Agency and potential ransomware hackers to conduct cyber operations on its behalf. Under the law of State responsibility, the operations are attributable to Russia when conducted pursuant to Russia’s “instructions, or direction or control” (Articles on State Responsibility, art. 8). This standard excludes mere “patriotic hackers” but would include hacker groups, private companies, and others operating at Russia’s behest.
Aside 2: The Application of International Humanitarian Law
Irrespective of whether prospective Russian cyber operations might constitute an internationally wrongful act, the question remains whether they might initiate, in lay terms, “war” between Russia and the targeted State. In international law, we call that an “international armed conflict” – and it brings into operation international humanitarian law (eg the Geneva Conventions) to regulate the belligerents’ conduct, including the operation itself. An international armed conflict occurs when there are hostilities between two or more States. The nature and severity of the requisite hostilities are contentious, especially with respect to cyber operations that may not be destructive or deadly. (Tallinn Manual 2.0, rule 82).
It is unfortunate that the lay term for such situations is “war.” It is crucial that diplomats, commentators and others keep distinct the legal understanding that an “international armed conflict” may exist between two States because of the introduction of force, but that force may not rise to the level of an “armed attack” triggering the right to exercise self-defense.
Causation of significant physical damage or death in the target State would likely qualify as an international armed conflict. However, States have been reticent about treating even cyber operations causing physical damage or necessitating replacement of cyber infrastructure, such as those launched by Iran into Saudi Arabia against Saudi Aramco, as such. In any event, it is unlikely that potential Russian cyber operations would be at a level triggering an international armed conflict between Russia and the target State. The more likely scenario for triggering an international armed conflict is a kinetic engagement between Russian and NATO military forces deployed forward, for instance, in the Baltic States. At that point, an international armed conflict would exist, and international humanitarian law would govern cyber operations with a nexus to that conflict.
All that said, I am bracketing here whether the United States and other NATO member states might already be parties to an international armed conflict with Russia for purposes of applying international humanitarian law. The question, on which I am not expressing an opinion here, would be whether their current military support for Ukraine makes them co-belligerents in the ongoing international armed conflict between Ukraine and Russia.
B. Response Options
Four categories of responses are on the table for reacting to Russian cyber operations against the United States or other NATO members — self-defense, necessity, countermeasures, and retorsion.
States may resort to the use of force only in the first of these cases, namely, self-defense. In all but the last of these cases (retorsion), States may take actions that would otherwise be unlawful in responding to Russian operations. Such responses, however, would have to meet other preconditions. I assess each option in turn.
Use of Force in Self-Defense
Acting in self-defense is the least likely response. That is because a Russian cyber operation crossing the required threshold of an “armed attack” is the least likely to occur. Article 51 of the United Nations Charter provides, “Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security.” Customary international law is generally in accord. Under the law of State responsibility, the right of self-defense is a “circumstance precluding wrongfulness,” that is, a situation in which a State may engage in otherwise unlawful conduct to defend itself (Articles on State Responsibility, art. 21). Most importantly, the right of self-defense allows States facing an armed attack to use force in their defense. That force may be cyber or kinetic, and the response need not be in kind; kinetic force may be used to respond to a cyber armed attack and vice versa (Tallinn Manual 2.0, rule 71).
Of course, States may defend themselves against a cyber “armed attack.” But in the current context, the right of collective defense looms even larger. That is because some of the NATO States that Russian cyber operations might target cannot mount an effective defense on their own.
In this regard, Senator Mark Warner, the Senate Intelligence Committee Chairman, has suggested the prospective Russian cyber operations could trigger Article 5 of the North Atlantic Treaty. In relevant part, the article provides:
The Parties agree that an armed attack against one or more of them in Europe or North America shall be considered an attack against them all and consequently they agree that, if such an armed attack occurs, each of them, in exercise of the right of individual or collective self-defence recognised by Article 51 of the Charter of the United Nations, will assist the Party or Parties so attacked by taking forthwith, individually and in concert with the other Parties, such action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area.
NATO has repeatedly confirmed that the right of self-defense applies in cyberspace. Accordingly, the question is whether the possible Russian cyber operations might rise to the level of an “armed attack” under UN Charter Article 51 and, therefore, Article 5 of the North Atlantic Treaty.
The prevailing view is that, in the words of the International Court of Justice in Nicaragua, an armed attack is the “most grave form” of a use of force. Thus, the scale and effects of any Russian cyber operations would have to be especially severe before triggering the right of individual or collective self-defense. Physical damage or death might need to occur before consensus on classification as an armed attack could be achieved. That said, at least one NATO member, France, has taken a broad view suggesting a cyber operation would be an armed attack “if it caused substantial loss of life or considerable physical or economic damage.”
Whether cyber operations at the armed attack level of severity by non-state actors trigger the right of individual or collective self-defense is contentious. However, States at least agree with the premise set forth in Nicaragua that if a non-state actor conducts a cyber armed attack on behalf or with the substantial involvement of a State, that State will have conducted the armed attack. The victim state will thus enjoy the right to respond with forcible cyber or kinetic measures against both the non-state actor and the other State, and look for assistance to other States in collective defense.
An advanced point to keep in mind: the test of “substantial involvement” appears limited to the law of self-defense. It does not appear to be a general test of attribution that can be applied in other contexts (e.g., in terms of violations of sovereignty or non-intervention).
But if non-state actors like “political hacktivists” or “patriotic hackers” conduct the operations without such connections to the State, the legal picture is less clear. The United States and numerous other States, including key NATO members (the United Kingdom and Germany), take the position that so long as the cyber operations reach the armed attacked level of severity, the victim state has the right of individual self-defense and may look to other States for assistance in collective defense. However, that position is not universal even in NATO. France, for example, has expressed hesitation on the matter.
It must be cautioned that the United States has long taken the position that there is no difference in terms of a threshold between a use of force and armed attack (State Department Legal Advisor remarks at USCYBERCOM conference 2012). Since most of its NATO allies do not share that view, the U.S. position on this point would enjoy little play in North Atlantic Council deliberations.
Given the unlikelihood that Russia will launch cyber operations so severe as to trigger the individual or collective right of self-defense, the remaining response options are particularly important. But before proceeding, it is important to register one caveat: Russia has attacked Ukraine directly, and other States could use force against Russia in collective self-defense of Ukraine, if Ukraine authorities so request it.
A State may respond according to the “plea of necessity” if hostile cyber operations against it affect an “essential interest” and constitute a “grave and imminent peril” (Articles on State Responsibility, art. 25). This right would exist even if a connection between a non-state actor mounting a qualifying operation and Russia cannot be established (a requirement for countermeasures discussed below) or when there is no violation of international law in the conduct of the cyber operation (e.g., because the target State does not recognize the rule of sovereignty). For example, severe hostile cyber operations mounted to express support for Russia could be underway but cannot reliably be attributed to Russia under the law of State responsibility. A target State nevertheless could respond in a manner that would otherwise violate the international law rights of the State into which the response is conducted (like sovereignty). The prevailing view, however, is that a response on this basis may not be at the use of force level (Tallinn Manual 2.0, rule 26).
States targeted by cyber operations conducted by Russia’s military or intelligence organs, or otherwise attributable to Russia under the law of state responsibility, may respond with “countermeasures” (Tallinn Manual 2.0, rules 20-25). Countermeasures are acts or omissions by a State that would violate international law but for the fact that they respond to another State’s unlawful acts or omissions and are designed to cause that State to desist and provide any reparations that might be due. Significantly in the current context, a countermeasure need not be in kind. To illustrate, if Russia launches cyber operations violating the sovereignty of a NATO State, that State could respond by closing its territorial sea to innocent passage by Russian flagged vessels. The countermeasure must be proportionate to the harm caused and the legal rights involved.
In the current crisis, the issue of “collective countermeasures” is of particular significance. There is an ongoing debate over whether one State may assist another in conducting cyber countermeasures, or even conduct the countermeasures on its behalf. NATO is at odds on this critical matter. Estonia has taken the position that collective countermeasures, like collective defense, are permissible, whereas France opposes the right to engage in countermeasures collectively. Other States have remained silent. In light of the current crisis, it would seem that the practical and legal arguments for collective countermeasures are compelling, as few NATO States could mount effective countermeasures alone against Russian cyber operations.
Finally, all States are entitled to engage in acts of “retorsion” in response to possible Russian cyber operations, whether unilaterally or collectively. The term retorsion denotes an act or omission that may be unfriendly but does not violate any rule of international law. For example, the sanctions already being imposed on Russia in response to its military operations are acts of retorsion. These are the acts well within the policy discretion of States, which they may pursue under any circumstances. It’s their baseline set of policy options.
A. Legal Character of the Cyber Operations
1. Violations of sovereignty
Supermajority view: Most States take position that cyber operations could violate sovereignty; interference with inherently governmental functions (including national defense) would likely count as such a violation.
Caveat: The United Kingdom does not recognize a rule of sovereignty in the cyber context, and the United States has not taken a definitive position on the issue. However, both may be moving toward the prevailing view in recent statements.
Russian cyber operations could violate the prohibition on intervention into the internal or external affairs of the targeted State if the cyber operation involves (a) coercion (b) in the targeted State’s domaine réservé. Russian operations that merely influence decision-making does not suffice.
3. Use of force
Cyber operations that cause significant physical damage or death constitute unlawful uses of force.
Many States have said they will examine the scale and effect of non-destructive or non-physically injurious Russian cyber operations to determine if they qualify as a use of force under 2(4) of the UN Charter and customary international law.
4. Role of non-state actors
Under the law of state responsibility, operations conducted by non-state groups are fully attributable to Russia when conducted pursuant to Russia’s instructions, direction, or control.
5. Application of international humanitarian law
Kinetic or cyber force that cause significant physical damage or death in the target State qualify as an international armed conflict. International humanitarian law (e.g., the Geneva Conventions) would govern cyber and kinetic operations in such a conflict.
Caveat: International humanitarian law may already apply if United States and other NATO member States are parties to the Ukraine-Russia international armed conflict (e.g., as co-belligerents due to military support for Ukraine).
B. Response Options
1. Law of self-defense
NATO has repeatedly confirmed that the right to self-defense to an armed attack applies in cyberspace.
A victim State may respond in self-defense if a non-state actor conducts a cyber armed attack on behalf or with the substantial involvement of a State.
The United States, United Kingdom, and Germany take the position that a victim State may respond in self-defense to cyber operations of non-state actors that reach the armed attack level of severity.
Caveat-1: Regardless of any cyber operations directed against them, States can resort to uses of force against Russia in collective self-defense of Ukraine, if Ukraine requests such assistance.
Caveat-2: The United States adopts an anomalous position that any use of force triggers the right of self-defense and does not have to rise to a higher scale or effect to constitute an armed attack. That said, the actions taken in self-defense would still have to be necessary and proportionate, according to all States’ (including the United States’) view on the law.
2. Justification of necessity
A victim State may take an otherwise unlawful action in response to cyber operations based on the justification of necessity if the State cannot establish a connection between an offending non-state actor and Russia or cannot claim that the Russian action violates international law.
A victim State may respond with countermeasures, acts or omissions designed to cause Russia to desist in illegal conduct under international law.
An ongoing debate exists on whether one State may assist another in conducting cyber countermeasures, or even conduct the countermeasures on the victim State’s behalf (collective countermeasures).
In response to cyber operations, State may engage unilaterally or collectively in unfriendly acts against Russia that do not violate a rule of international law like the imposition of sanctions.
Whether Russia will conduct hostile cyber operations against NATO States remains to be seen. Still, its recent escalation of military operations in the international armed conflict with Ukraine that stretches back to 2014 is cause for concern. Should Russia do so, the characterization of those operations, and the response to them, must be carefully nuanced. International law would prohibit many such cyber operations, but the basis on which it does so varies depending on their effects. In response to unlawful Russian operations, international law also allows for responses that themselves would under other circumstances be unlawful. However, because they would otherwise be internationally wrongful acts, international law imposes strict constraints on when and how they may be conducted. The most demanding constraints apply when the victim State or its allies wish to respond forcibly by kinetic or cyber means pursuant to the right of self-defense.