“Cyber disruption,” ransomware, and critical infrastructure: A new US understanding of “attack”?
Does the U.S. now consider a ransomware “cyber disruption” of “critical infrastructure” to be an “attack” within the meaning of international law? If so, it would seem to be an important inflection point for the U.S.’ view as to what sort of cyber activities would trigger the right of self-defense under Article 51 of the UN Charter which, by its text, requires an “armed attack.”
As I explain in more detail here, malicious cyber incidents have generally been considered “attacks” within the meaning of Article 51 only when they directly and foreseeably result in deaths, injuries, or physical destruction of some kind (to include a loss of functionality which requires replacement of components).
Although there is debate, most experts and many nations hold that such violent, physical effects are essential elements to finding a cyber-incident sufficiently analogous in scale and effects to the sort of kinetic attacks contemplated by Article 51 in 1945 when it and the rest of the UN Charter came into being.
Decide for yourself, but it appears that President Biden has concluded that certain cyber activities that are “disruptive” (albeit not necessarily physically destructive, per se), nevertheless can be egregious enough to constitute “attacks” – at least when critical infrastructure (as the U.S. defines it) is victimized. That is arguably a departure from the U.S.’ previous position of ambiguity, and a rather significant one.
Let’s unpack this development some more.
At a June 16 news conference President Joe Biden said he told Russian President Vladimir Putin that “certain critical infrastructure should be off limits to attack — period — by cyber or any other means.” (Emphasis added.)
Biden apparently included the Colonial Pipeline ransomware case – a nondestructive albeit significantly disruptive incident – in the category of the kind of “damage” that would constitute an “attack.” Here’s what he later said about a ransomware “hit” in that same news conference (based on the WH transcript):
“Because, look, the countries that most are likely to be damaged — failure to do that — are the major countries. For example, when I talked about the pipeline that cyber hit for $5 million — that ransomware hit in the United States, I looked at him and I said, “Well, how would you feel if ransomware took on the pipelines from your oil fields?” He said it would matter.” (Emphasis added.)
Distinguishing cyber espionage
The President’s team of explainers went into action almost immediately. Later that day Reuters reported
“A senior administration official said that the proposal was focused on ‘destructive’ hacks, as opposed to the conventional digital espionage operations carried out by intelligence agencies worldwide.” (Emphasis added.)
It would still seem that given the recognizable reference to the Colonial pipeline case by the President, a ransomware incident evidently was sufficiently “destructive” so as to constitute an “attack” in his view when the peril involved interference with the nation’s critical infrastucture.
That said, it is also true that espionage violates the domestic law of almost every nation, but has not historically been considered a breach of international law. The U.S. does not seem to want to alter this norm, despite the impact of cyber.
The extraordinary technological capabilities of cyber to enable the theft of enormous amounts of information have led some to suggest that whatever might have been the traditional norm, the scope and intensity of recent intrusions and exfiltrations of information such as the massive Chinese cyber theft of millions of personnel records, the SolarWinds hack, and the Microsoft data breach, is so great, that some are rethinking the norms traditionally associated with espionage and that the U.S. must be prepared to “strike back.”
Scholars like Yev Vindman take a nuanced perspective (“Is the SolarWinds Cyberattack an Act of War? It Is, If the United States Says It Is”). Vindman points out that what may appear to be a nondestructive cyber espionage operation actually uses essentially the same intrusion methodology as would be employed in an effort intended to cause physical harm. As he puts it:
The vulnerabilities are present and continuing on an unprecedented scale, even if currently latent. Consequently, a U.S. response to this attack should be understood as self-defense to an attack in progress. Although the effects of a cyberattack may not be as clear as the bombs dropped on Pearl Harbor or a ballistic missile launch, they should nevertheless elicit a similar level of concern.
In an apparent reference to the international law concept of anticipatory self-defense, Vindman plausibly argues that the “U.S. need not wait for the effects of the SolarWinds attack to be operationalized, just as it wouldn’t wait for ballistic missile impact, before responding.”
It isn’t clear, but it does not seem that the U.S. is yet prepared to call even the uniquely-threatening SolarWinds intrusion an “attack” as it appears to have done with respect to major ransomware incidents.
Why? My bet is that the U.S. would not want to establish a cyber-norm that could operate to limit its own options as to cyber espionage.
“Disruption” equates to “attack” when critical infrastructure is involved?
At a June 17 news conference National Security Advisor Jake Sullivan notably used the term “disruption” instead of “attack” but didn’t seem to draw a distinction between the terms:
“President Biden passed a list of the 16 sectors of critical infrastructure that are enshrined in Presidential Policy Directive 21, and indicated that he was particularly focused on those sectors, in terms of Russia both refraining from state-related cyber disruptions and preventing cyber disruptions by criminals operating from Russian soil.” (Emphasis added.)
He also said:
“[The President] laid down some clear markers with Russia, some clear expectations, and also communicated to them the capacities that we have should they choose not to take action against criminals who are attacking our critical infrastructure from Russian soil.” (Emphasis added.)
What does it all mean?
To reiterate, it appears that the U.S. is now taking the position that a cyber-operation against US-defined “critical infrastructure” that causes a significant “disruption” amounts to an “attack.” Apparently, a ransomware incident – though lacking direct loss of life or physical destruction – is sufficient to constitute such an attack, at least when targeted against critical infrastructure.
In most ransomware incidents the data is not damaged or destoyed, but just encrypted and denied to its owner until a ransom is paid. It is somewhat akin to a distributed denial of service (DDOS) incidents where access is denied. Most nations do not consider DDOS incidents to be “armed attacks” that would trigger an Article 51 right to self-defense.
Importantly, the U.S. has long had a lower threshold than most nations for the kinds of incidents that would permit acts in self-defense under international law. Specifically, Article 2(4) UN Charter prohibits the threat or use of “force,” but, as noted above, Article 51 of the Charter permits individual and collective self-defense when a state has been a victim of an “armed attack.”
Here’s the tricky part: most nations consider the kind of “force” referenced in Article 2(4) as not necessarily being the same as that constituting an “armed attack” as used in Article 51. In other words, an activity amounting to “force” which violates Article 2(4) might not be of sufficient violence, intensity, and scope to constitute an “armed attack” to legitimately trigger self-defense authority within the meaning of Article 51.
The U.S. has never accepted this bifurcated interpretation. In 2012 the then legal adviser to the U.S. State Department Harold Koh said:
[T]he United States has for a long time taken the position that the inherent right of self-defense potentially applies against any illegal use of force. In our view, there is no threshold for a use of deadly force to qualify as an “armed attack” that may warrant a forcible response.
But that is not to say that any illegal use of force triggers the right to use any and all force in response – such responses must still be necessary and of course proportionate.
We recognize, on the other hand, that some other countries and commentators have drawn a distinction between the “use of force” and an “armed attack,” and view “armed attack” – triggering the right to self-defense – as a subset of uses of force, which passes a higher threshold of gravity. (Emphasis added.)
Although Koh references “deadly” force, that adjective was dropped when his basic position was incorporated into the U.S. Department of Defense’s Law of War Manual (see ¶ 220.127.116.11) in this way:
“The United States has long taken the position that the inherent right of self-defense potentially applies against any illegal use of force. Thus, any cyber operation that constitutes an illegal use of force against a State potentially gives rise to a right to take necessary and proportionate action in self-defense.”
In short, the U.S. seems to have taken a meaningful step to establish “red lines” as to what constitutes an “attack” in the cyber realm. In doing so, it joins several other nations cautiously exploring the degree to which cyber incidents with serious national impacts might constitute “attacks” despite not directly causing the physical injury or destruction typically associated with a kinetic strike.
The devilish details
The President’s establishment of “clear markers” with respect to critical infrastructure has already garnered critics. As one media source headlined “Biden’s ‘off-limits’ list for Russian cyberattacks criticized as ‘green light’ to target everything else.”
I don’t agree. For one thing, the definition of “critical infrastructure” is fairly far reaching. (Take a look here.) While the details are classified, much seems to fit into this unclassified listing.
Furthermore, simply because a cyber-incident isn’t characterized as an “attack’ doesn’t mean it is lawful under either international or domestic law. There are a variety of options nations as well as individuals may take even where the incident doesn’t amount to an attack under international law.
To me, it is not irrational to distinguish between the scale and effects of a ransomware attack on, for example, a major meat processor, that threatens a nation’s food supply (one of America’s critical infrastructure sectors), and a ransomware encryption of someone’s personal bank account, as distressing as that may be for the individual.
What is a bit puzzling, however, is this part of the President’s news conference where he is talking about his discussions with Putin:
I pointed out to him that we have significant cyber capability. And he knows it. He doesn’t know exactly what it is, but it’s significant. And if, in fact, they violate these basic norms, we will respond with cyber.(Emphais added.)
“Respond with cyber”? The U.S. has not previously expressed such a limitation. For example, the DoD Law of War Manual (see ¶ 18.104.22.168) says this:
“No Legal Requirement for a Cyber Response to a Cyber Attack. There is no legal requirement that the response in self-defense to a cyber armed attack take the form of a cyber action, as long as the response meets the requirements of necessity and proportionality.”
It’s curious and unnecessary for a comment to an adversary to indicate that the response of the U.S. would specifically be a cyber one. Let’s hope it was just an off-the-cuff misstatement (or a misdirection) and not a sign that the U.S. is limiting its options.
As commentator Rebecca Grant insists “the historic takeaway from Geneva is that Biden unveiled a direct cyber threat to counter Russia’s recent actions” adding that “[n]ever before has an American president laid it out so bluntly for Putin.” She says “Biden has laid down a scorching red line which Putin and the hackers he harbors must not cross.”
However, she also notes (and I very much agree) that Biden “must be ready to back up words with deeds, in cyberspace and beyond.” She further warns that “China will be watching.”
It is useful to establish “clear” norms and “red lines” if you will, but failure to follow-through if they are breached can be extremely damaging.
Let’s not forget that John Kerry said in 2016 that the “Obama administration’s failure to enforce the ‘red line’ it drew for intervention in Syria against President Bashar Assad in 2012 ‘cost’ the US ‘significantly’ in the Middle East.”
With a cyber-power like China watching, the stakes are even higher in 2021.
Still, remember what we like to say on Lawfire®: gather the facts, examine the law, evaluate the arguments – and then decide for yourself!