Cyber norm development: is the U.S. at an inflection point?
A few weeks ago the Washington Post reported a U.S. offensive cyber operation against the Russian-based Internet Research Agency (IRA) shortly before the 2018 election. Allow me to explain why this operation may indicate something of an inflection point for the U.S. in the development of cyber norms.
“[T]he United States used cyber weapons to take down a Russian state-approved cyber information operation. If the U.S. had done so using a missile (by, say, destroying the facility where the Internet Research Agency is located) it would have been an armed attack and potential a cause of a war-like response And yet, somehow, in doing it via cyber means, the United States has managed to avoid that implication; evaded public scrutiny (until now); and possibly set a new standard for “sub-warlike” cyber activity that begins the creation of new international norms of behavior in the domain.
Let’s unpack the facts and background of this event as we distill what it may mean for cyber norm development.
Why the IRA?
The U.S. Department of Justice (DoJ) charged the IRA with various efforts to interfere with the 2016 election. Specifically, DoJ said:
The indictment charges thirteen Russian nationals and three Russian companies for committing federal crimes while seeking to interfere in the United States political system, including the 2016 Presidential election. The defendants allegedly conducted what they called “information warfare against the United States,” with the stated goal of “spread[ing] distrust towards the candidates and the political system in general.”
As the Post put it: “Posing as Americans and operating social media pages and groups, Russian trolls sought to exacerbate tensions over issues such as race, sexual identity and guns.” The recent U.S. offensive cyber operation apparently was intended to ensure that the IRA would not be able to ”wage information warfare” during the 2018 election.
International law basis?
What, then, was the international law basis for targeting the IRA for an offensive cyber operation? Article 2(4) UN Charter prohibits the threat or use of “force,” but Article 51 of the Charter permits individual and collective self-defense when a state has been a victim of an “armed attack.” However, a conventional legal analysis would likely not conclude that the alleged actions of the Russians amount to an “armed attack” as that term is used in the Charter since there were no casualties or physical damage involved. Still, was the IRA’s “information warfare” effort egregious enough to constitute “force” in contravention to Article 2(4)?
Here’s the tricky part: most nations consider the kind of “force” referenced in Article 2(4) as not necessarily being the same as that constituting an “armed attack” as used in Article 51. In other words, an activity amounting to “force” which violates Article 2(4) might not be of sufficient intensity and scope to constitute an “armed attack” which triggers self-defense authority within the meaning of Article 51.
The U.S. has never accepted this bifurcated interpretation. In 2012 the then legal adviser to the U.S. State Department Harold Koh said:
[T]he United States has for a long time taken the position that the inherent right of self-defense potentially applies against any illegal use of force. In our view, there is no threshold for a use of deadly force to qualify as an “armed attack” that may warrant a forcible response. But that is not to say that any illegal use of force triggers the right to use any and all force in response – such responses must still be necessary and of course proportionate. We recognize, on the other hand, that some other countries and commentators have drawn a distinction between the “use of force” and an “armed attack,” and view “armed attack” – triggering the right to self-defense – as a subset of uses of force, which passes a higher threshold of gravity. (Emphasis added.)
This view was incorporated into the U.S. Department of Defense Law of War Manual (see ¶ 126.96.36.199) in this way:
The United States has long taken the position that the inherent right of self-defense potentially applies against any illegal use of force. Thus, any cyber operation that constitutes an illegal use of force against a State potentially gives rise to a right to take necessary and proportionate action in self-defense.
What makes this interesting is that the Post also observed that:
Two new U.S. authorities facilitated the move against the Internet Research Agency. A presidential order in August gave Cybercom greater latitude to undertake offensive operations below the level of armed conflict — actions that would not result in death, significant damage or destruction. And a provision in the National Defense Authorization Act passed last year also cleared the way for clandestine cyber-operations that fall below that same threshold, categorizing them as “traditional military activity.”
Importantly, under conventional international law analysis, propaganda and espionage activities do not ordinarily amount to a use of force (though other aspects of international law may be offended). Cyber activities below the level of the use of force/armed attack paradigm may nevertheless be subject to countermeasures. These are:
[U]nilateral measures adopted by a State (the ‘injured State’) in response to the breach of its rights by the wrongful act of another State (the ‘wrongdoing’ or ‘target’ State) that affect the rights of the target State and are aimed at inducing it to provide cessation or reparations to the injured State.
However, most experts believe countermeasures cannot involve the use of force. (Moreover, it is unsettled the degree to which – if at all – the entire concept of countermeasures is applicable to non-state actors.) Furthermore, while countermeasures can be taken to put “an end to ongoing activities,” it is not clear that in the absence of a current illegality they can be used simply to deter potential future wrongs, e.g., interference with an election about to take place.
What is the upshot?
A case can be made that: a) the alleged Russian troll activity may be criminal under U.S. law, but the U.S. doesn’t consider it a use of force or an “armed attack,” and b), the U.S. response likewise does not amount to a use of force or an “armed attack.” Thus, an “offensive” cyber-operation that causes an entity to actually lose internet access for several days is not, in the U.S.’s view, a use of “force” within the meaning of the U.N. Charter.
This could be rather significant in terms of norm development, although there are many unanswered questions. For example, is it not “force” simply because interruption of access was temporary and that there are no reports of any injuries or even permanent damage to equipment? Does the nature of the target matter – that is, because it is essentially a propaganda and/or intelligence entity? Can its disruption can be assessed simply as a sort of offensive intelligence operation that does not offend international law regarding the use of force? A form of a countermeasure?
The hard questions:
The hard questions are these: are we willing to consider a several-day interruption of web access for a U.S. entity as something not sufficient to amount to a use of force so as to trigger a right to use force in self-defense? Would that be true for all cyber targets? What if it’s a hospital, and patients are adversely affected? Or is the emerging norm applicable only to those entities whose disruption would not result in deaths or injuries and/or the destruction/damage of property?
In my view, the answer at this time to the last question would be “yes,” and I would not extend what appears to be an emerging norm beyond those facts. Regardless, while the U.S.’s notion of the kind of activity that could trigger a forceful, defensive response is rather expansive, a temporary disruption of web access not resulting in death/injury/damage still does not seem to meet even the threshold of “force” in the U.S.’s view.
Another complexity: questions remain as to whether an operation not amounting to a use of force nevertheless constitutes an unlawful infringement of sovereignty of the target state (where is doesn’t qualify as a countermeasure) See here and here for contrasting views.
Moreover, is there a point at which the U.S. would consider election interference to breach the use of force/armed attack threshold so as to authorize force in response? At the 2018 Aspen Security Forum U.S. Cyber Command commander General Paul Nakasone pointed out that we’ve seen adversaries who “cause discord within our social ranks or attempt to undermine our elections all below the level of war.”
In any event, it appears that what we are seeing is an exercises of the new U.S. Department of Defense Cyber Strategy that says that the U.S. will “defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” I agree with an excellent analysis of that strategy (found here) where two experts concluded that it is “much more forward-leaning and risk-acceptant cyber strategy” than the one it replaced.
Here on Lawfire® we’ve been critical of the failure of the U.S. to work to establish norms with respect cyber activities (see here, here, and here). This cyber operation may be a small step – and one relatively uncontroversial – but a step nevertheless towards norm development. Only time will tell if we are at an inflection point or whether this was sui generis.
Still, as we like to say on Lawfire®, gather the facts, assess the law and the arguments, and decide for yourself!