Was the Congressional Research Service’s “Use of Force in Cyberspace” report a ‘miss’?
The normally very highly-reliable Congressional Research Service (CRS) seems to have missed the mark a bit with its recent (Dec 10) report on the “Use of Force in Cyberspace.”
There are certainly aspects of it that are useful, but some of the information was incomplete in important ways, and too often conveyed in a manner that was unnecessarily confusing. Here’s some thoughts you may find helpful as you read it.
International law applies
The bulk of the CRS report might suggest to some readers that it is unsettled as to whether international law, to include the law of armed conflict, applies to cyber operations. It does apply.
Inexplicably, CRS doesn’t get around to mentioning this fact until the very last lines of the report – virtually as an afterthought following a lot of confounding rhetoric like that about the alleged absence of “international, legally binding instruments…to explicitly regulate inter-state relations in cyberspace.”
Simply because an international agreement (e.g., the UN Charter) may not use the word “cyberspace,” and isn’t exclusive to the domain, hardly means “cyberspace” isn’t obviously subject to its application.
Moreover, though there may be some outlier governments, the report of the UN’s 2021 “Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security” makes it clear that the global community in general accepts that international law applies to cyber activities and, specifically, that international humanitarian law (the law of war) applies during armed conflict.
What seems to distract the CRS is how the law may apply to particular facts and circumstances, but this is different than suggesting an absence of relevant and even controlling law.
That misguided belief has caused some, for example, to call for a “digital Geneva Convention.” Actually, an applicable set of Geneva Conventions (and other forms of international law) already exists. (See here as to why companies should not sign the “Cybersecurity Tech Accord.”)
As the world continues to explore the implications of various hostile cyber operations it is hardly the time to abandoned an existing legal architecture that can tell us much, and frequently provides ready analogies. There may be areas worth of adjustment or even addition, but international law applies now.
[T]]here is no question that IHL applies to, and therefore limits, cyber operations during armed conflict – just as it regulates the use of any other weapon, means and methods of warfare in an armed conflict, whether new or old. This holds true whether cyberspace is considered as a new domain of warfare similar to air, land, sea and outer space; a different type of domain because it is man-made while the former are natural; or not a domain as such.
Prohibition on the use of “force”
There is much in the CRS report about the use of force, but let’s try to do some clarifying by returning to a few basics. The fundamental international law constraint is found in Article 2(4) UN Charter which prohibits the threat or use of “force.”
However, there are exceptions, and of particular relevance to this discussion is Article 51 of the Charter. It permits individual and collective forceful acts of self-defense when a state has been a victim of an “armed attack” – so long as the actions are necessary and proportional to the threat. Additionally, it is well accepted that Article 51 also permits nations to act in “anticipatory self-defense” in the cyber context when faced with an imminent cyber-attack.
The determination of “imminence” in the cyber context can be complex because of the velocity of cyber technology (see here and here) but, as the Tallinn Manual – the world’s most-respected treatise related to cyber operations – explains that the majority of the International Group of Experts (IGE) who helped write it agree that “imminence” it isn’t strictly temporal calculation. The Manual’s commentary says they concluded that :
[A nation] may act anticipatorily only during the last window of opportunity to defend itself against an armed attack that is forthcoming. This window may present itself immediately before the attack in question, or, in some cases, long before it occurs. For these Experts, the critical question is not the temporal proximity of the anticipatory defensive action to the prospective armed attack, but whether a failure to act at that moment would reasonably be expected to result in the State being unable to defend itself effectively when that attack actually starts. (Emphasis added.)
But what is “force” in the cyber domain?
The Tallinn Manual (Rule 69) tells us that a “cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rise to the level of the use of force.” The “Schmitt Analysis” that CRS usefully includes in its report lists factors that decision-makers may want to consider in determining if a cyber-incident amounts to a use of “force” as that term in understood in Article 2(4) of the UN Charter.
What is an “armed attack”?
The IGE, along with the majority of nations, find (Rule 71 f.) that “the term ‘armed attack’ is not to be equated with the term ‘use of force’.” Citing the International Court of Justice opinion in the Nicaragua case, they conclude that not every use of force rises to the level of an “armed attack.”
Put another way, most international lawyers would say that every armed attack is a use of force, but not every use of force qualifies as an armed attack. It is much a matter of “scale and effects” of a specific cyber event. Indeed, there are many who would say that a nation who has suffered a cyber “use of force” of some kind would nevertheless not necessarily be able to act in forcible self-defense because the harm endured did not qualify as being equivalent to an “armed attack.”
So what would qualify? Historically, an armed attack would be one that manifests itself in substantial physical injury, damage, or loss of functionality as would be typical in a kinetic attack. However, these days a cyber-operation – a ransomware incident, for instance – can cause serious harm without necessarily directly causing the type of physical damage one might traditionally expect to see in an “armed attack” situation.
Yet few – if any – cyber incidents have been formally designated as “armed attacks” by governments, despite the costly effects, and even deaths. In fact, a cyber-attack could be a bigger killer than even a pandemic.
Is there movement in the international community as to the characterization of hostile cyber events?
Thus, it is true that it is unsettled as to exactly what events would constitute a cyber “use of force,” and which one of those would be serious enough to characterize as an “armed attack.” Interestingly, Mike Schmitt told Lawfire® that this issue was one the IGE drafting the next edition of the Tallinn Manual would address. He explained:
States are hesitant to set forth the threshold at which they would characterize a hostile cyber operation an armed attack opening the door to a forcible response. Typically, they only indicate that there is a right to self-defense if the consequences of a hostile cyber operation (or cyber campaign) are comparable to those of a non-cyber operation that would qualify as an armed attack.
However, we are seeing a degree of movement. For instance, in 2019, France suggested that “A cyberattack could be categorized as an armed attack if it caused substantial loss of life or considerable physical or economic damage.” The economic harm comment cuts new ground. Yet, while other states have not gone as far as France, there seems to be a growing sense among government officials around the world that in some cases a hostile cyber operation could cause non-physical consequences severe enough to trigger the right of self-defense.
As with the use of force issue, they are zeroing in on the “scale and effects” of the cyber operation’s consequences. This will inevitably lead them away from a strict interpretation by which only significant injury or physical damage qualifies as an armed attack. (Emphasis added.)
I agree with Mike, and I believe we’ll see a growing number of governments cautiously exploring the degree to which cyber incidents with serious national impacts might constitute “attacks” despite not directly causing the physical injury or destruction normally associated with a kinetic strike.
Exactly how nations might choose to respond (or not) to “attacks” is another issue, as controlling cyber “escalation” is, as one analysts says, “unexplored territory” marked by “high risk.”
The U.S. threshold of self-defense
A very important discussion missing from the CRS report is the rather unique view the U.S. takes as to the “use of force” and “armed attack” characterization. As I explained last June in “Cyber disruption,” ransomware, and critical infrastructure: A new US understanding of “attack”?, the U.S. has long had a lower threshold than most nations as to the sorts of incidents that would permit acts in self-defense under the UN Charter. Specifically,
[M]ost nations consider the kind of “force” referenced in Article 2(4) as not necessarily being the same as that constituting an “armed attack” as used in Article 51. In other words, an activity amounting to “force” which violates Article 2(4) might not be of sufficient violence, intensity, and scope to constitute an “armed attack” to legitimately trigger self-defense authority within the meaning of Article 51.
The U.S. has never accepted this bifurcated interpretation. In 2012 the then legal adviser to the U.S. State Department Harold Koh said:
[T]he United States has for a long time taken the position that the inherent right of self-defense potentially applies against any illegal use of force. In our view, there is no threshold for a use of deadly force to qualify as an “armed attack” that may warrant a forcible response.
But that is not to say that any illegal use of force triggers the right to use any and all force in response – such responses must still be necessary and of course proportionate.
We recognize, on the other hand, that some other countries and commentators have drawn a distinction between the “use of force” and an “armed attack,” and view “armed attack” – triggering the right to self-defense – as a subset of uses of force, which passes a higher threshold of gravity. (Emphasis added.)
Although Koh references “deadly” force, that adjective was dropped when his basic position was incorporated into the U.S. Department of Defense’s Law of War Manual (see ¶ 18.104.22.168) in this way:
“The United States has long taken the position that the inherent right of self-defense potentially applies against any illegal use of force. Thus, any cyber operation that constitutes an illegal use of force against a State potentially gives rise to a right to take necessary and proportionate action in self-defense.”
To its credit, the CRS took on a very difficult topic, and one which is evolving almost daily. It is certainly a complicated area for legal practitioners – not to mention their clients. Nevertheless, it is one we need to understand. As I’ve said before:
Cyber deterrence is difficult enough, but it’s hard to see how it could ever work absent making clear the behavior you want to deter, as well as the range options that behavior would then permit. Even if not every episode is officially measured against the U.S.’s view of the applicable international law, doing so in the more egregious incidents would be progress.
If America wants to set norms in cyberspace (as the U.S. should want to do), it needs to make forthright assertions – one way or another – regarding its view as to whether or not a cyber “use of force” has taken place, at least when major incidents occur. This does not oblige any particular response, but it would help develop the clarity friend and foe alike need.
Remember what we like to say on Lawfire®: gather the facts, examine the law, evaluate the arguments – and then decide for yourself!