Usually my blog posts are focused on the arguably mundane practices of cybersecurity governance. Today, though, I would like to get into something a bit spicier. Right now, as I write this, Russia has about 90,000 troops amassed at the Ukrainian border, and China has been harassing Taiwanese airspace for months. Some kind of aggressive action, possibly cyber-related, seems very possibly forthcoming; and with it, likely a response in kind.
It’s a known fact that Russia, China, North Korea, Iran and others engage in regular cyber attacks against the other countries including the US. We see this all the time. What I think is unclear to most people are the rules governing the responses to such attacks. Below I discuss a broad overview of how cyber attacks are handled by governments around the world.
First off, you should know that the international law around the rights self defense of a state actor is extremely murky and highly disorganized. Furthermore, different countries disagree on the interpretation of laws that exist. That being said, there are some general rules that are followed by responsible governments.
When is self-defense by a country warranted after a cyberattack?
Generally speaking, self-defense is only permissible if the following conditions are met:
1. The cyberattack constitutes a “use of force” that violates international law;
This is a very gray area, but generally it is agreed that the following factors should be considered:
- Severity of the cyberattack (this is the most important factor);
- Immediacy of the attack’s effects (the attack’s effects are felt immediately);
- Directness of the attack to its effect (proximity of cause to the effect);
- Invasiveness of the attack on a country’s governmental systems;
- Measurability of the effects is readily available (the effects of the attack are clear and quantifiable right away);
- Level of Military connection to the attack; and
- Level of Government connection to the attack.
2. The “use of force” is attributable to a state;
An act is only attributable to a state if it is carried out by an organ of the state (ex. Military, intelligence agency, or other government agency).
i. Exception: cyberattack carried out by a non-state actor but later the state acknowledges and adopts the conduct in question as its own.
3. The “use of force” constitutes an “armed attack” that entitles the aggrieved country to self-defense;
The law here is very gray, but the standard is very high in the cyber context. It must be “the most grave” form of “use of force.” It is currently unclear whether acts that do not cause injury, death, damage, or destruction could ever rise to the level of an “armed attack.” What is clear I that it does not include intelligence gathering, or temporary interruption of noncritical services.
i. IMPORTANT NOTE: The United States government does not agree that an “armed attack” is necessary for self defense. The US position is that any “use of force” triggers the right to self defense. This is not the internal law consensus view.
ii. IMPORTANT NOTE: The United States an others also hold the view that self defense can be invoked preemptively against threats. Presumably threats that if carried out would rise to the level of “use of force” (US) or “armed attack” (others).
If a cyberattack constitutes an “armed attack” what are an aggrieved country’s options?
- A country’s self defense countermeasures must be “necessary for the protection of its essential security interests.” A country should determine whether or not there is a course of action it can take that does not constitute a “use of force” to protect its essential security interests.
- A country’s self defense countermeasures must also be “proportional.” There is a lot of disagreement as to what standard constitutes proportionality. One proposal by legal scholars asserts that an aggrieved country needs to assess whether the damaged caused by the countermeasures employed would be outweighed by the resulting social good.
If a country is hit with a cyberattack that falls short of “use of force” or “armed attack,” what are it’s options?
1. The only acceptable countermeasures to such a cyberattack would be those which are designed “to induce [the] responsible State to comply with the legal obligations it owes an injured State.” Additionally, the countermeasures must be “proportionate to the injury to which they respond” and should not be punitive, but rather an instrument for inducing a responsible State to comply with its obligations. Often these countermeasures take the form of:
- Cessation of trade;
- Suspension of diplomatic relations;
- Expulsion of diplomats; travelers and other nationals; or
2. IMPORTANT NOTE: There is no per se prohibition on espionage under international law, and the US takes the position that “unauthorized intrusions into computer networks solely to acquire information” will be treated as “traditional intelligence and counter-intelligence activities under international law.”
I hope you have found this blog article enjoyable and informative. On behalf of Digital Edge, please have a safe and happy holiday.