“Cybervandalism” or “Digital act of war”? America’s muddled approach to cyber incidents won’t deter more crises
If experts say a malicious cyber code has “similar effects” to a “physical bomb,” and that code actually causes “a stunning breach of global internet stability,” is it really accurate to call that event merely an instance of “cybervandalism”?
Moreover, can you really expect to deter state and non-state actors from employing such code and similarly hostile cyber methodologies if all they think they are risking is being labeled as a cyber “vandal” subject only to law enforcement measures? Or might they act differently if it was made clear to them that such activity is considered an “armed attack” against the United States and that they are in jeopardy of being on the receiving end of a forceful, law-of-war response by the most powerful military on the planet?
Of course, if something really is just vandalism, the law enforcement paradigm with its very limited response options could suffice. But when a malevolent cyber activity endangers the reliability of the internet in a world heavily-dependent on a secure cyberspace, it isn’t just vandalism. Rather, it is a national and international security threat that ought to be characterized and treated as such. Unfortunately, the U.S.’s current approach is too inscrutable and even contradictory to send an effective deterrence message to potential cyber actors. This needs to change.
“A stunning breach of global internet stability.”
If you need an example of the U.S.’s cyber deterrence problem, consider the massive disruption of the Internet that took place on October 21st, 2016. Twitter, Paypal, Spotify and other many other popular websites were virtually shut down when Dyn, a domain name system (DNS) provider that functions as a “switchboard” for an enormous amount of internet traffic, was the victim of a huge distributed denial-of-service (DDoS) attack. How serious was the Dyn incident? William Turton, writing on Gizmodo, said that half the internet was shut down, and Reuters characterized the cyber crisis as “a stunning breach of global internet stability.”
What made this cyber incident especially worrisome is that experts believe the “attackers apparently used tens of thousands of hacked internet of things devices — household appliances such as digital video recorders, security cameras, and internet routers — to generate a massive amount of digital traffic” that jammed the system and ground it to a halt several times.
Although Web functionality was more or less reconstituted by the end of the day, the Dyn attack may signal things to come. A retired intelligence officer ominously suggested that it may have been a probing attack, that is, one designed to enable a hostile actor to “eventually launch a devastating, Pearl Harbor-type cyber attack.” Even before the most recent incident, Bruce Schneier said the “precisely calibrated [cyber] attacks” of recent months “feels like a nation’s military cyber-command trying to calibrate its weaponry in the case of cyberwar.”
Nation-states are not the only ones who need to be deterred from nefarious internet activity as non-state actors can also cause serious disruption. For example, regarding the Dyn incident, Mr. James Clapper, the Director of National Intelligence, indicates that “preliminarily” a non-state actor may be responsible. Regardless, the vulnerability to a range of hostile actors is painfully evident: the devices exploited in this event – which are made with some parts “coming from Chinese suppliers [and] have weak or no password protections” – are extremely common. Intel Corporation predicts the world will have 200 billion of them by 2020, so it’s unlikely that we’ve seen the last of these cyber emergencies.
Cyber vandalism or digital acts of war?
Surveying the wide-ranging impact of last week’s Web calamity, an analyst observed that, “[e]ven though [the malware involved in the attack is] not a physical bomb, it has some similar effects.” The question then is this: does the U.S. consider this unprecedentedly severe incident, involving as it does a cyber capability that has “similar effects” to a “physical bomb,” to be a digital “act of war”?
Evidently not. Even though the facts of the massive shutdown would seem to equate the incident with a traditional kinetic attack, NBC news reports a senior U.S. intelligence official as rather dismissively classifying the incident as just “a classic case of internet vandalism.”
Does the official’s characterization conform to what the U.S. has said previously about the legal status of certain cyber events? Of course, it’s important to understand that “act of war” is a political term, not one of international law. In the post-UN Charter era, the “act of war” idiom is at odds with the underlying thrust of the Charter and especially Article 2(4). It demands that: “[a]ll members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.” In essence, “war” as historically understood, is all but illegal; disputes are to be resolved by peaceful means.
There are, however, narrow exceptions to the prohibitions against the use of force. Force is allowed when the Security Council authorizes it under Article 42 of the Charter. Additionally, a nation may employ force in self-defense when it suffers what Article 51 describes as an “armed attack.” (Most nations also believe Article 51 also incorporates an inherent right to act in anticipatory self-defense when an armed attack against them is imminent.)
The law does not define exactly what kind of form of forceful response a country may take in a legitimate act of self-defense except to say it must be necessary and proportional. Nor does it limit a self-defense response in a cyber-situation to an “in-kind” response. The U.S., for example, says a self-defense response to a cyber-attack might include the use of traditional kinetic force involving conventional military weapons.
So when does the U.S. consider itself to have suffered an “armed attack” in the cyber context so as to trigger a right to self-defense under Article 51? Despite the enormous dimensions of the Dyn onslaught, the official’s claim that it is simply “cyber vandalism” (as opposed to any sort of “attack”) seems to suggest that the U.S. doesn’t consider it serious enough to permit a self-defense response within the meaning of Charter. This characterization is rather ironic as the U.S. has previously expressed a rather aggressive stance regarding what sort of cyber incidents could authorize forceful acts in self-defense.
In a seminal 2012 speech, the then-Legal Advisor to the State Department Harold Koh staked out the U.S. position. Initially, he affirmed that “established jus ad bellum rules do apply to uses of force in cyberspace.” (Jus ad bellum is that “branch of law that defines the legitimate reasons a state may engage in war and focuses on certain criteria that render a war just.”) He went on to explain that cyber activities that “proximately result in death, injury, or significant [physical] destruction would likely be viewed as a use of force.”
Pointedly, Koh also said that “if the physical consequences of a cyber attack work the kind of physical damage that dropping a bomb or firing a missile would, that cyber attack should equally be considered a use of force.” (Emphasis added.) In light of the claim that last week’s incident has “some similar effects” to a “physical bomb,” was the Koh threshold met? Or does the absence of “death, injury, or significant destruction” make it fall short in the U.S.’s view?
It isn’t clear. Koh makes it hard to determine because he said that the U.S. “has for a long time taken the position that the inherent right of self-defense potentially applies against any illegal use of force” adding that “[in the U.S.’s] view, there is no threshold for a use of deadly force to qualify as an ‘armed attack’ that may warrant a forcible response.” In other words, from the U.S. perspective, there is no difference between “force” as used in Article 2 of the UN Charter and “armed attack” as used in Article 51.
This interpretation of the law is, internationally, a distinctly minority view, as Professor Michael Schmitt and other cyberlaw experts have noted. It creates a complication because most interpretations of international law find that there are actions which might constitute “force” under Article 2, but not involve the kind of proximate “death, injury, or significant destruction” typically associated with an “armed attack.” Citing Nicaragua v. U.S., Schmitt provides an illustration with obvious implications for the U.S. position on cyber uses of force:
[T]he International Court of Justice held that although merely funding guerrillas who were conducting hostilities against another State did not reach the use of force threshold, arming and training them did. The holding suggests that an act need not have immediate physical consequences to comprise a use of force. (Emphasis added.)
When the Nicaragua holding is juxtaposed with Koh’s assertion that “force” and “armed attack” are conterminous, it seems that the U.S. should consider a grave cyber event like the Dyn attack as the legal equivalent to an “armed attack” even if it did not produce “death, injury, or significant destruction.” After all, if the U.S. position is that any use of force is enough to justify an Article 51 response, disrupting half the global internet with a methodology with effects similar to a “physical bomb” would certainly seem to be at least as significant as arming and training guerrillas in a single country.
To consider an incident as severe as the Dyn case as sufficient to put the perpetrators at risk of a forceful self-defense response not only would conform to the existing U.S. interpretation, but also could signal a norm evolution consonant with what some in the international community are already coming to realize about cyber attacks and Article 51 of the Charter.
The 2013 Tallinn Manual, which many consider to be the leading treatise on the international law applicable to cyberwar, does find that “force” as used in Article 2 (4) is different from the arguably more egregious “armed attack” as set out in Article 51. At the same time, however, its included commentary reports that the group of experts who drafted the Tallinn Manual found the law was “unsettled” as to whether “actions that do not result in injury, death, damage or destruction, but which otherwise have extensive negative effects” could amount to an armed attack.
In fact, we may be seeing a shift towards broader acceptance of the idea that cyber incidents with widespread adverse effects are enough to trigger an Article 51 response, even without any physical injuries or damage. In 2015, two years after the issuance of the Tallinn Manual, Professor Schmitt, who was the project’s director, agreed that if a cyber operation shut down the national economy without death or destruction, it would nevertheless “probably” meet the more demanding “armed attack” threshold.
In addition, UCLA’s Professor Kristen Eichensehr noted the conundrum that “cyber weapons create the possibility of actions that cause severe harm to the victim, but nevertheless do not result in physical damage or injury to persons.” Consequently, she predicted, it is “possible that over time a cyber specific definition of armed attack may arise that does not require physical harm, even though physical harm is required for armed attacks caused by other sorts of weapons.” With the experience of the Dyn case, that time may be now.
The U.S. interpretation of the law would certainly seem to be open to such a finding. In the first place, the 2015 U.S. Department of Defense’s (DoD) Law of War Manual confirms in Chapter XVI (which addresses cyber operations) that the law of war applies to cyber, but admits that “[p]recisely how the law of war applies to cyber operations is not well-settled, and aspects of the law in this area are likely to continue to develop, especially as new cyber capabilities are developed and States determine their views in response to such development.”
Next, the Law of War Manual goes on to essentially incorporate the Koh approach by saying, “if cyber operations cause effects that, if caused by traditional physical means, would be regarded as a use of force under jus ad bellum, then such cyber operations would likely also be regarded as a use of force.” This intriguingly suggests that a use of force sufficient for jus ad bellum might exist even in the absence of physical injuries or destruction.
How? In listing examples of acts that could meet the use-of-force standard, the Manual says: “[c]yber operations [that] cripple a military’s logistics systems, and thus its ability to conduct and sustain military operations, might also be considered a use of force under jus ad bellum.” The footnote supporting this proposition points to a 1999 Assessment of International Legal Issues in Information Operations published by the DoD Office of the General Counsel. That document says:
Even if the systems attacked were unclassified military logistics systems, an attack on such systems might seriously threaten a nation’s security. For example, corrupting the data in a nation’s computerized systems for managing its military fuel, spare parts, transportation, troop mobilization, or medical supplies may seriously interfere with its ability to conduct military operations. In short, the consequences are likely to be more important than the means used.
This illustrates that at least from DoD’s perspective, if a cyber event has significant enough consequences, it can be a casus belli even in the absence of physical injuries or destruction. The relevant question then would be: doesn’t an assault that caused “a stunning breach of global internet stability” and shut down half the internet qualify?
Complicating the issue is the July 2016 testimony before Congress by the State Department’s Coordinator for Cyber Issues Christopher Painter as to what he called “digital acts of war.” According to Painter, in determining on a “case-by-case, fact-specific” basis whether a cyber activity constitutes an “armed attack” sufficient to trigger the right of self-defense, “the actual or anticipated effects of a particular incident” are of “primary importance.” Painter says “the U.S. government believes that states should consider the nature and extent of injury or death to persons and the destruction of, or damage to, property.” If the cyber act “proximately” causes “death, injury, or significant destruction” it would “likely would be viewed as an armed attack.”
The problem, of course, is that while Painter’s formulation includes the obvious “death, injury, or significant destruction” standard, it doesn’t necessarily preclude finding that non-destructive cyber events could also produce “actual or anticipated effects” sufficient to permit an Article 51 response. It seems that Painter intentionally meant to be rather enigmatic as he also claims:
As a general matter, states have not sought to define precisely (or state conclusively) what situations would constitute armed attacks in other domains, and there is no reason cyberspace should be different. In fact, there is a good reason not to articulate a bright line, as strategic ambiguity could very well deter most states from getting close to it.
Does calling a severe disruption “cyber vandalism” deter or incentivize?
While there may be a place for ambiguity in strategic deterrence, the Dyn case shows that it is not working for the U.S. The reason could well be the trivializing public characterization the government has been giving to events like the Dyn incident, not to mention applying similar language even when physical damage actually resulted. In the law, words do matter. Portraying something as “cyber vandalism” would not permit the U.S. to legally respond in the same way it could if it had been struck by a “physical bomb,” and that could have serious consequences for the development of deterrence in relation to cyber events.
Put another way, vandalism is ordinarily understood as a minor criminal law matter involving judicial processes, and not something that would sanction the use of force. As an international law matter, retorsion and countermeasures might be available – as may be other remedies under the law of state responsibility – but none of these options allow the use of force. However, activities that equate to “physical bombs” could readily be viewed as a national security threat where the response in the first instance could be a necessary and proportional use of force to counter them. To reiterate, the law enforcement paradigm suggested by “vandalism” is very different from the jus ad bellum/law of war regime that arises from national security threats, with the “law enforcement” response being much more limited.
Yet even where the cyber incident unquestionably fulfills the “physical damage” criteria, the U.S. inexplicably softens its classification. For example, in 2014, President Obama similarly used the term “cybervandalism” in denying that North Korea’s cyber operation against Sony pictures constituted an “act of war.” However, the Department of Defense Cyber Strategy document released in April of 2015 described the Sony incident much more seriously. It said (p. 2):
North Korea conducted a cyberattack against Sony Pictures Entertainment, rendering thousands of Sony computers inoperable and breaching Sony’s confidential business information. In addition to the destructive nature of the attacks, North Korea stole digital copies of a number of unreleased movies, as well as thousands of documents containing sensitive data regarding celebrities, Sony employees, and Sony’s business operations. North Korea accompanied their cyberattacks with coercion, intimidation, and the threat of terrorism. The North Korean attack on Sony was one of the most destructive cyberattacks on a U.S. entity to date. (Emphasis added.)
Likewise, Lisa Monaco, serving as Assistant to the President for Homeland Security and Counterterrorism, said in July of 2016 that the Sony attack “had crossed a threshold,” adding that it “was both destructive, it fried the computers of Sony Pictures, took them offline and it was coercive.” Given those facts as to physical destruction and coercion, it is hard to argue that the Sonny attack did not meet the U.S. and, indeed, the world’s definition of “armed attack.”
Regarding last summer’s hack of thousands of Democratic National Committee (DNC) emails, Ms. Monaco emphasized the gravity of the event, calling it a “serious, serious issue, a serious thing if there is deliberate intrusion for the purpose of coercing and influencing the political process.” The distinctive nature of the target – the U.S. election system – caused John Brennan, Director of the Central Intelligence Agency, to conclude that “[o]bviously interference in the U.S. election process is a very, very serious matter.”
Despite the consensus about the seriousness and uniqueness of cyber efforts to interfere with the political process, the President again sought to downplay the incidents. In early September he “acknowledged that the Russians have been attacking U.S. institutions on the internet” but has also said that:
Our goal is not to suddenly in the cyber arena duplicate a cycle of escalation that we saw when it comes to other arms races in the past, but rather to start instituting some norms so that everybody’s acting responsibly . . . . What we cannot do is have a situation in which suddenly this becomes the wild, wild West, where countries that have significant cybercapacity start engaging in unhealthy competition or conflict through these means.
By early October the U.S. government was nevertheless explicitly accusing the Russian government of directing what it was calling “compromises” of (but not “attacks” on) cyber systems. It claimed that what it said were “thefts and disclosures” were “intended to interfere with the US election process.” Without referencing a legal basis, Josh Ernest, the White House Press Secretary, said a few weeks ago (but before the Dyn case) that there would be a “response” to these “thefts and disclosures.”
In doing so, Ernest added to the legal muddle by insisting that the response would be “proportional.” The response to a criminal matter like a “compromise” or “disclosure” or even a “theft” is a judicial one; a “proportional” response is, however, the language of force sounding in jus ad bellum, not law enforcement. Confusingly, he also said it “is unlikely that our response would be announced in advance” – again, jus ad bellum terms mixed with criminal law rhetoric. It is true, that an “armed attack” could also be a criminal offense, but the way it is being publicly presented suggests little cognizance of the critical differences between the two legal regimes, or the effect on deterrence those differences might have.
Deterrence and dithering?
Mr. Ernest further obfuscated the matter when he asserted that “[i]t’s certainly possible that the President could choose response options that we never announce.” This is hardly what would or should occur if it really is just vandalism – a criminal law matter – and it is not the way to go about deterring actors from similar behavior. How will people be deterred if the consequences are unknown? Adding to the confusion are press reports that suggest experts are not optimistic that the U.S. even has a clear vision of what the “proportional” response should be, announced or not.
Harvard Law Professor Jack Goldsmith, long a critic of what he calls the U.S.’s “feckless” cyber deterrence policy, warned that the U.S. government’s “dithering” in response to previous cyber incidents (including the 2015 Office of Personnel Management data breach that may have affected as many as 32 million people) was dangerous. He avowed that:
Such a pattern of vacillation in response to very damaging cyber-operations will not deter our adversaries; it will embolden them. It will especially embolden them since the responses the USG finally settles on are much less than proportionate to the damage caused.
Susan Hennessy, a legal scholar at the Brookings Institute, differed somewhat with Goldsmith by asserting that U.S. deterrence policy has been successful to the extent that the U.S. “has never been the victim of a cyber attack that genuinely threatened lives.” She helpfully notes that the “Administration quietly released its policy on cyber deterrence late last year.” That policy states that “the Administration is most concerned about threats that could cause wide-scale disruption, destruction, loss of life, and significant economic consequences for the United States and its interests.” These, it says, would include (but are not limited to):
- Cyber attacks or other malicious cyber activity intended to cause casualties
- Cyber attacks or other malicious cyber activity intended to cause significant disruption to the normal functioning of U.S. society or government, including attacks against critical infrastructure that could damage systems used to provide key services to the public or the government.
- Cyber attacks or other malicious cyber activity that threatens the command and control of U.S. military forces, the freedom of maneuver of U.S. military forces, or the infrastructure on which the U.S. military relies to defend U.S. interests and commitments.
- Malicious cyber activity that undermines national economic security through cyber-enabled economic espionage or sabotage.
Hennessey believes that tampering with the mechanisms of the election is still a “below the threshold” activity (that is, below the “armed attack” standard), although she agrees that such actions combined with others might collectively exceed it. She also points to Phil Walters’ work describing a sophisticated Russian strategy to employ various “below established threshold activities” (BETA) and its relation to deterrence. She concludes that while the U.S.’s deterrence is working so as to be “effectively preventing very serious activity, at least for now,” its responses to BETA “are reactive and unpredictable, which undercuts the deterrent effect.” She closes by saying:
U.S. deterrence policy currently has the feeling of roulette. Maybe the house still wins overall, but it is clear that actors like Russia are happy to keep spinning the wheel while they’re ahead.
Indeed. Less than two weeks after Hennessey wrote her piece, an undeterred actor launched the gigantic Dyn assault that hobbled half of the Web. Even the Department of Homeland Security admitted just a month before the Dyn attack that the U.S. “has experienced increasingly severe and significant cyber incidents affecting both the private sector and Federal Government.” That admission, along with the new Dyn case, ought to make it clear that the U.S. needs to retool its cyber deterrence strategy.
What to do? Clarifying terms
Deterrence is a devilishly complex endeavor, especially where cyber is concerned – but clarifying the law can help. Shortly after the Dyn incident, Mr. Clapper lamented:
[W]e don’t have enough body of law yet. We haven’t, in my opinion — this is not company policy; it’s just me speaking — but we have not been able to generate either the substance or the psychology of deterrence in the cyber realm. And that’s going to continue to be an issue for us.
Irrespective as to whether Clapper is really correct about whether an adequate body of law exists to support deterrence, the fact is that there seems to be that perception among many U.S. officials. In truth, the law itself may not be the problem as much as the proper application of the law (and especially the U.S.’s view of it) to the facts. That proper application can be facilitated by cleaning up the language officials use about cyber incidents, and to synchronize it with announced U.S. interpretations.
To effectively deter, consistency and accuracy of language is indispensable. Since the U.S. has elected to characterize any use of force as sufficient to trigger a right to self-defense under Article 51, when events occur that plainly meet that standard (and even event that cross the more demanding “armed attack” threshold), then they need to be declared a use of force. For example, if the descriptions by DoD and government officials about the scope and intensity of the physical damage inflicted by North Korea in the Sony cyber incident are accurate, it quite obviously meets the standard establish in the Koh speech, the DoD Law of War Manual, and Painter’s testimony.
Watering down official characterizations of the Sony attack (where computers were “fried” and “thousands” of them rendered “inoperable”) to merely being an incident of cybervandalism carries real consequences. At best confusion arises, and at worst, a norm develops that says to potential cyber adversaries that even if they inflict damage and coercion of that level of scale and intensity, they are still not in peril of anything worse than an indictment in a U.S. court that they can understandably expect will never result in an actual prosecution.
To be sure, there are acts that may appropriately be characterized as just cybervandalism. For example, in early 2015 when Islamic State hackers penetrated U.S. Central Command social media accounts, the U.S. branded it as “purely a case of cybervandalism.” Even though the hackers posted “threatening messages and propaganda videos, along with some military documents,” the command maintained that the “operation military networks were not compromised and there was no operational impact to U.S. Central Command.” It is possible that as cyber enables the ability to hyper-personalize threats on an unparalleled scale, the impact on civilians of hacking of social media accounts may eventually cause the development of an international norm prohibiting doing so. Still, every hostile cyber activity cannot and should not be characterized as a use of force, even under the U.S.’s more permissive standard.
It does help when, as noted above, the U.S. defines the cyber activities it wants to explicitly deter (beyond generically wanting to deter all crime). The problem with the listing is that it may include activities – cyber espionage for example – that are rightly violative of domestic U.S. law, but would not necessarily be something that the U.S. and its allies would want to be considered in international law, at least at the moment, as a casus belli. It may be suitable for the development of new norms not involving force in light of the enormous capability of cyber methodologies, but a clear delineation between what authorizes a forceful response, and what is limited to other options is what is needed.
In short, for deterrence to work there needs to be more precision in the official language used to describe specific incidents that comports to the U.S.’s own interpretation of a use of force that would authorize a response in self-defense. If the facts show an incident being characterized as a use of force sufficient to permit the use of force under Article 51, then the official language needs to be consistent with that assessment.
What to do? Develop norms as to the “red lines”
It is vitally important, however, to appreciate that simply because a particular cyber act may legally constitute an “armed attack” that might qualify for the political characterization of an “act of war,” that doesn’t mean that a country is obliged to respond to it with force. Indeed, there are many political reasons that would counsel against doing so. This is where Mr. Painter goes wrong with his discussion about “strategic ambiguity.”
In deterrence, ambiguity may be useful with respect to a response, but it is markedly less so when you are talking about the threshold. Misunderstandings as to where the proverbial “red lines” are set can lead to dangerous miscalculation, unintended escalation, and unwanted conflict. Given the enormous potential of cyber acts to do harm, potential actors ought not to get mixed messages as to how the U.S. considers harmful cyber activities.
Frustrations with the opaqueness as what cyber activity would constitute a casus belli appears to have motivated Congressman Mike Rounds to propose a bill earlier this year that would require the President to develop a policy for determining “when an action carried out in cyberspace constitutes an act of war against the U.S.”
Rounds points to testimony of Marine Lt. Gen. Vincent Stewart, director of the Defense Intelligence Agency, as part of his rational for the legislation. Stewart admitted that a “much fuller definition of the range of things that occur in cyber space [is needed], and then [we should] start thinking about the threshold where an attack is catastrophic enough or destructive enough that we define it as an act of war, I think that would be extremely helpful.”
Stewart isn’t alone in not “fully” understanding where the threshold lies. Other Pentagon leaders apparently are equally uncertain, something that raises the obvious question: if our leaders don’t know, how can we expect potential adversaries to understand which acts might spark a full-blown war? At the same time, except in the most aggravated cases, enumerating in advance precisely which cyber acts exceed the use of force threshold might be nearly impossible.
This is where norm development in international law comes into play. In doing so, the U.S. needs to use the language of international law. Political terms like “digital acts of war” are unhelpful not only because they do not track with the language of the law, they also can imply to the general public a level of response that is unnecessarily provocative and even inconsistent with the proportionality and necessity factors intrinsic to a lawful exercise of self-defense, especially in the complex cyber arena.
As discussed, the U.S. has, in fact, laid out in broad terms what kind of cyber activities it wants to deter, and generally how it interprets the law applicable to cyber operations. What is required now is for the U.S. to act consistently with these conceptual positions when cyber incidents actually occur. We now seem to be in a cycle where we are facing ever more dangerous and damaging cyber incidents, yet they are rarely given the appellations established U.S. legal interpretations would seem to indicate. Instead, incidents too often are characterized with language that would put them outside the kinds of activities that would authorize a forceful Article 51 response.
The U.S. also has to be more forthright about its response to incidents because that too influences norm development. True, there may be times, as the White House spokesman Josh Ernest said, that the U.S. would “never announce” a response to a particular cyber incident, but that should very much be the exception and not the rule. As Bloomberg News’ Eli Lake argued last July after the DNC hack:
[T]here is also a consequence for keeping quiet. It might give Russian hackers the impression that the U.S. is uninterested in deterring them. Indeed, it appears they are under that impression already.
Transparency should not be underestimated as a deterrence factor. Potential cyber attackers calculate exactly what kind of malicious activity will generate a response, and how costly that response might be.
The bigger picture
It is crucial that the U.S. express its positions unmistakably about cyber incidents it has suffered, particularly given the approach of two of the world’s most formidable cyber actors. Professor Schmitt noted in 2014 that:
The UN Group of Governmental Experts, which includes representatives from Russia and China, agreed in 2013 that international law applies to cyberspace. Interestingly, Russia and China did not agree to a reference to international humanitarian law and China reportedly does not accept the applicability of IHL in cyberspace. (Emphasis added and citations omitted)
For example, the Chinese acknowledge that “although the existing laws on armed conflicts and general international principles may all apply to cyberspace, there are still many issues that need clarification…[t]he international community should, therefore, revise existing laws – but it is important that this international legal framework maintains sufficient openness and flexibility.”
Although purportedly not officially speaking for the Chinese government, Professor Huang ZhiXiong of China’s Wuhan University Institute of International Law is reported to have said at a 2015 conference on cyber law that:
In his view, the Tallinn factors relevant to evaluating when a cyber activity rises to a use of force (which include severity, directness, and invasiveness) are too malleable and the bar for what activities are uses of force should be higher. Second, he sought a higher bar than Tallinn 1.0 sets for when a state may invoke the right of self-defense. In his view, a state does not have a right of self-defense against attacks by non-state actors, nor does a state have the right of self-defense against an imminent attack.
If the Chinese government de facto adopts (or has already adopted) Professor ZhiXiong’s perspective as to the inapplicability of the right to self-defense in cyber incidents, and Russia fuses with that view, their combined impact would be very influential in the development of an international norm that is contrary to the U.S. view.
Some final thoughts
It is inarguable that the U.S. needs to be judicious in its characterizations of, and response to, cyber events. No one wants to unnecessarily aggravate an already difficult situation. Uncertainty as to how to effectively respond and still avoid counterproductive escalation are real problems of deterrence. But before determining whether and how to respond, the legal options need to be apparent. In that regard the U.S. is at the point where it needs to be more forthright when incidents occur that appear to violate its own announced standards as to when a cyber action equates to an “armed attack.”
Again, calling something the equivalent of an “armed attack” so as to permit a forceful and proportional response in self-defense under Article 51 does not mean that such action necessarily be forthcoming in every instance. Rather, what it would do is make it unmistakable to all concerned that the U.S. asserts it has a lawful option to use force in self-defense if it chooses to do so, not that it will in each case.
When the U.S. fails to properly characterize cyber incidents, and frequently suggests that they are simply vandalism, thefts or other matters which are readily interpreted by cyber actors and publics around the world as being within the law enforcement modality and outside of the jus ad bellum legal regime, no one should be surprised if norms begin to emerge more in keeping with what Russia, China, and hostile cyber actors prefer.
Deterrence in the cyber realm quite obviously needs strengthening, and dealing with the legal piece of that effort matters. We still have the chance to set the record straight – to develop that “body of law” Director Clapper believes we are missing – but that opportunity diminishes with each passing incident where the proper legal characterization is understated and muddled.