Are cyber norms as to what constitutes an “act of war” developing as we would want?

Yesterday I attended the “Cyber Warfare and the Maritime Domain” event at the Center for Strategic and International Studies hosted by my friend Kath Hicks and featuring Vice Admiral Jan Tighe, USN, Deputy Chief of Naval Operations for Information Warfare/Director of Naval Intelligence.  VADM Tighe had a number of fascinating things to say, including some comments of particular interest to lawyers.

Perhaps of most importance were VADM Tighe’s remarks about something previously discussed on Lawfire (““Cybervandalism” or “Digital act of war”? America’s muddled approach to cyber incidents won’t deter more crises”), that is, is the development of international norms as to what constitutes (in political terms) an “act of war” proceeding as we would want?  Here’s what VADM Tighe had to say as reported in the Washington Examiner this morning (“Admiral: US tolerated cyber ‘acts of war’ over last decade”):

“We’ve had an awful lot of examples of what, 10 years ago, we assumed would be construed as an act of war,” Vice Adm. Jan Tighe said Thursday. “And, in a lot of cases, there has not been a response, either a military response or a diplomatic response.”

She then referenced the cyber-attack on the Ukrainian electrical grid and observed:

“The international community did not even really come out strongly and say, ‘this is unacceptable, you cannot go after critical infrastructure,'” she said at the Center for Strategic and International Studies.  “Where is the hue and cry in that? And so, what that says is, that must be okay.  That must be perfectly acceptable. When you’re not at war, you can attack someone’s critical infrastructure.”

Ironically, there has been a lot of work done to help nations work through the law regarding cyber incidents.  For example, the NATO-sponsored Tallinn 2.0 Manual provides superb guidance as to the current state of the law vis-à-vis cyber operatiions (albeit it is not an official NATO document.)  Chapter XVI of the DoD Law of War Manual also provides – at least for DoD – some broad guidance as to the law applicable to cyber operations.

The devil, of course, is in the details – and those details involve determining what facts are appropriately applied to the law.  It is here where uncertainty frequently exists.  For example, last June, NATO Chief Jan Stoltenberg announced that a “severe” cyber-attack might trigger NATO’s Article 5 “collective self-defense” authority, but it still isn’t clear what “severe” would mean to decision-makers in a particular factual circumstance.

Given the importance of state practice in the development of norms, VADM Tighe’s comments are apropos.   In speaking to some National Security Council experts yesterday afternoon, I argued (along the lines of my prior Lawfire blog) that it is extremely important for the U.S. to characterize cyber incidents for what they really are (at least from the U.S. perspective.  If they amount to unlawful uses of force that violate the UN Charter and permit a self-defense response under Article 51 of the Charter, we should say so.  (N.B. The U.S. takes an expansive view of what would trigger self-defense authority – see Chapter XVII of the DoD Law of War Manual and former Legal Advisor to the State Department Harold Koh’s 2012 remarks, and the critique of them here ).

Importantly, an official characterization of a particular cyber incident as a “use of force” or “armed attack” (UN Charter terms) – or even the colloquial “act of war” (again, a political term, not legal one) – does not mandate a particular response, but doing so would nevertheless serve to help advance international norms.  Of course, like everything else, there are potential downsides. In a very thoughtful article, Hofstra professor Julian Ku discusses the “restrictivist” view that China takes with respect to the use of force generally, and opines that it may not be in the U.S.’s interest to force China to accept the U.S. interpretations of international law restrictions as to cyber warfare because of the potential of China applying them pejoratively to U.S. actions in other contexts.

I do see Professor Ku’s point, and it’s important to understand the unintended consequences as to how a norm development regarding cyber might impact non-cyber activities.  Still, there are other actors of concern in cyberspace beyond China.  Consequently, I believe that – on balance – acquiescing to the Chinese view on use of force writ large by downplaying incidents in the cyber realm will advance the development of unhelpful international cyber norms.  Cyber deterrence is difficult enough, but its hard to see how it could ever work absent making clear the behavior you want to deter, as well as the range options that behavior would then permit. Even if not every episode is officially measured against the U.S.’s view of the applicable international law,  doing so in the more egregious incidents would be progress.

No doubt, the characterizations of particular cyber cases can be a complex factual undertaking.   In a recent post on Just Security, Professor Mike Schmitt does an exceptional job in analyzing norm development in the tricky area of a cyber-incidents involving financial data that can cause very significant consequences, but which may not involve directly death or destruction, or even the loss of functionality of cyber infrastructure, which in many quarters of the international law community are prerequisites for triggering self-defense authorities.

Such difficult situations aside, it still seems to me that a forthright assertion one way or another – with respect to the U.S.’s legal position in more obvious cases (e.g., the Ukrainian blackout) is the kind of legal support operators like VADM Tighe need and, frankly, have the right to expect.

VADM Tighe also had some interesting things to say about legal support more generally.  She assess the legal support as “pretty good,” and that the “knowledge base of the legal advisors…[is] getting much more mature in cyberspace than it has been previously.”  She cited the military use of civilian cloud computing capabilities as one example of the kind of legal challenges that are emerging.

She also makes an oblique reference to the Navy’s efforts to groom military justice experts as perhaps being something of a model for developing cyber law specialists.  She is likely referring to the controversial proposal for a military litigation career track for judge advocates.  It’s controversial much because historically there has been the view that most JAGs need to be fundamentally generalists because that optimizes their usability and deployability.  Generalists are often most readily available for a broad variety of assignments/situations which may require a flexible range of skills.  However, lots of people now argue that given the sheer complexity of many criminal cases these days – and particularly those involving sexual assault allegations – that such career tracking is required to improve competency in the military justice area.  VADM Tighe seems to be suggesting that the technical and legal challenges of cyber matters may require a similar kind of career vectoring.

A video of the full presentation is found here, and below is an unofficial transcript of my question and VADM Tighe’s response:

Charlie Dunlap: Charlie Dunlap from Duke Law School. Ma’am, do you think that you’re getting the legal support that you need in the sense of rules of engagement and so forth, and are you having any challenges with your JAGs and your civilian lawyers understanding the technology enough to give you the kind of legal advice that you need? You spoke recently, or just a moment ago, about the language in the contract, and that would require a lot of knowledge of the technology.

Vice Admiral Jan Tighe, USN: No, I think that’s a great question. It’s been, when you think about the rules of engagement side, my experiences were more in my previous jobs. I’ve don’t have to invoke rules of engagement at the current job at the Pentagon.

Well, maybe just with my coworkers (laugh). But the, you know, under U.S. cyber command and fleet cyber command rules, that interaction with the legal staff, our JAGs, and the civilian workforce that is at OSD, it has been pretty good and, you know, I see that it is growing in terms of the knowledge base of the legal advisors there, certainly, you know, across the country, you’re seeing the lawfare discussions, it’s getting much more mature in cyberspace than it has been previously.

But I think what the military justice side has done has looked to create some experts, but again, they still end up being pockets of experts that can support commanders in the rules of engagement side of the house. On the contracting side of the house, that’s a completely different set of OGC types of lawyers that have to be brought up to understand these things.

I think the cloud part of it really challenges us because again, we’re not talking about government-owned infrastructure that we can just do what we will with. To the degree that we leverage the public cloud different than the government cloud, the actual public cloud, our ability to go in or to direct things inside of that commercial side, I think is, will continue to challenge us as we’re writing the policies for what good security looks like when we put DOD data into public infrastructure, so there is a lot there for the legal side. But I think everyone is coming up on step at the same time.

Wait can I…because it kind of touches on, I was thinking when you first asked it, some of the challenges that the legal side has is the lack of norms out there. And so – international law, how do you apply it, what’s reasonable, what’s reasonable to expect in cyber? – those norms, ten years ago we thought, well, there just hasn’t been enough run time in this cyber warfare domain to establish norms of behavior and what’s acceptable.

Well, we’ve had an awful lot of examples of what ten years ago we assumed would be construed as an act of war. And that, in a lot of cases there has not been a response, either a military response or a diplomatic response, and so that gets back sort of into the policy – how does the legal side advise us on what’s good policy going forward?

And you know, the example I used in Ukraine, the international community did not even really come out strongly and say – this is unacceptable! You cannot go after critical infrastructure. Where is hue and cry in that? What that says is: that must be okay. That must be perfectly acceptable. When you’re not at war, you can attack someone’s critical infrastructure. Without that voice, without that strong response from the international community, we’re not going to get to real norms.