Guest Post: Blake Williams on “Action and Reaction: Are NATO States Ready to Contain the Risks Tied to New Sanctions?”

Today’s post engages another aspect of our ongoing discussion about the Ukraine crisis: if Russia does invade or otherwise behaves in a way that triggers the sanctions the U.S. and NATO have threatened, what might be Russia’s response?  The January 29th edition of the New York Times reports:

Some analysts also warn of a potential escalatory spiral. Russia might retaliate against an economic gut punch by cutting off natural gas shipments to Europe or by mounting cyberattacks against American and European infrastructure.

Army judge advocate LTC Blake William, a fellow and instructor with the International Institute of Humanitarian Law in Sanremo, Italy, offers his personal view of the challenge differing interpretations of international law might present should Russia mount significant cyber operations against the U.S. or a European ally.  He points out that Russia (and China) may consider such actions as below the threshold that would trigger a right to kinetic self-defense under the U.S. and NATO Charters. 

Still, would victim states necessarily conclude, for example, that a cyber-disruption of their critical infrastructure was not an “attack” as that term is often interpreted under international law?  Or might they view it through the lens of an effects-based analysis and decide it was of sufficient scale and effects to breach the “attack” threshold and give them the right to self-defense, including the use of traditional kinetic means?

This is is an issue with which we’ve grappled several times on Lawfire®. (See e.g., “Cyber disruption,” ransomware, and critical infrastructure: A new US understanding of “attack”? andInternational law and cyber ops: Q & A with Mike Schmitt about the status of Tallinn 3.0.”

Anyway, it’s great to see another scholar willing to pose the hard questions for policymakers.  (Note: LTC Blake uses the nomenclature of “international humanitarian law” instead of “law of armed conflict” but in this context the terms are interchangeable.)

A bit more context: just yesterday the New York Times reported:

The White House dispatched its top cybersecurity official to NATO on Tuesday in what it described as a mission to prepare allies to deter, and perhaps disrupt, Russian cyberattacks on Ukraine, and to brace for the possibility that sanctions on Moscow could lead to a wave of retaliatory cyberattacks on Europe and the United States. (Emphasis added).

As you read Blake’s thoughtful and frank personal assessment ask yourself these questions: if the U.S. and its NATO allies do unleash the threatened “mother of all sanctions” package against Russia, and it responds with a massive cyber operation that inflicts enormous misery on the U.S., Ukraine, and NATO countries, but seems to stay below the threshold of violence traditionally used to calculate what legally constitutes an “attack” within the meaning of Article 51 of the UN Charter and Article 5 of the NATO Charter, what then?  Is NATO ready for that not unimaginable scenario?

Here’s Blake’s perspective:

Action and Reaction: Are NATO States Ready to Contain the Risks Tied to New Sanctions?*


LTC Blake Williams, USA

Europe and the United States now await a second and open Russian invasion of Ukraine. As the world looks on at the tension in the Ukraine, it is difficult to imagine a peaceful resolution. Some imagine a delay of the conflict measured in months or years, but few imagine a peaceful end.

Sanctions As Deterrent

At this time, the United States and NATO alliance members are signaling a massive sanctions package as a means of deterrence. Absent from this deterrence is a plan for direct NATO military action. This may seem to be a safe path forward for NATO states.  NATO forces are stationed behind international borders secured by legal rules on state violence and the strength of the NATO alliance. 

The Rules

Sanctions are not acts of war and not considered to be attacks by any nation in Europe. Indeed, for an attack of any kind to be covered by the laws and usages of warfare, i.e., by International Humanitarian Law (IHL), it must be violent in nature. 

Unless a state engages or attempts to engage in acts covered by IHL against Russia, Russia has no right under the UN Charter to engage them in an armed conflict. 

This legal construct should keep the pending conflict largely contained to Ukraine.  But is this a complete and sound understanding of the legal construct in play between NATO and Russia?  Doesn’t the mixed legal understanding of cyber offer a possibility of rapid escalation?

The Trouble with Cyber and Attack

In recent years, many NATO states, and the United States in particular, have advocated for an effects based understanding of cyber ‘attacks’.  Influential Western treatises such as the Tallinn manual outline arguments that characterize cyber intrusions as attacks under IHL if the attack has violent effects.  This logical effects-based induction is necessary because as specialists know, a cyber ‘attack’ is simply a series of lies and contains little intrinsic violence. 

To conduct a cyber attack, the attacker first sends lies to a digital system about his permission to access the system. Subsequently, the attacker places lies in the form of code in that system which causes the system to engage in destructive behavior.  If the system were a person, this process would take the form of espionage recruiting. 

The goal of cyber is to create an insider threat to the enemy by flipping his machines rather than his soldiers. In opposition to the Tallinn manual position, the Chinese and Russian governments support the view that cyber “attacks” are akin espionage or sabotage activities and not the sort of violent attacks covered by IHL.

Both positions are logically coherent and there is a very limited customary practice of nations regarding cyber that can be used to determine which legal position is accurate.  The opinio juris is lacking and even scholars do not agree on the correct application of the law. 

The Risk

If conflict occurs and the promised sanctions are enacted, the Russian government will suffer massive economic losses measured in billions of dollars.  Such losses would be as severe as if roads, factories, and cities were bombed.  The internal pressure on the Russian government to respond would be immense.

The sanctions would deliver strategic level harm to the Russian State, but would provide no legal basis to attack NATO. 

However, Russia does not believe that cyber “attacks” are a form of violence. The rules-based order that otherwise holds Russian forces at international borders simply doesn’t exist in the cyber realm. 

The deterrent to using cyber is therefore based almost solely in the Russian assessment of what the response might be. 

After exhausting economic sanctions, states may find themselves forced to threaten violent retaliation in order to deter cyber “attack”. 

So far, none of the states who will implement the sanctions have made their response to a Russian cyber escalation clear. In this environment, the danger of uncontrolled escalation is high. 

About the author

LTC Blake Williams is a fellow and instructor with the International Institute of Humanitarian Law in Sanremo, Italy and a US Army Judge Advocate with 16 years of experience. He holds a Masters of Operational Studies with Honors from the US Army Command and General Staff College and Fort Leavenworth; a LL.M from the Judge Advocate General’s Legal Center and School at Charlottesville, Virginia; and a J.D. from the University of South Carolina School of Law.  He is admitted to practice before the Supreme Court of the United States and Court of Appeals for the Armed Forces. 


* The views and opinions expressed here are the author’s and do not necessarily reflect the official policy or position of the U.S. Army, the Judge Advocate General’s Corps, the Department of Defense, or any other agency of the U.S. government.

The views expressed by guest authors also do not necessarily reflect the views of the Center on Law, Ethics and National Security, or Duke University.

Remember what we like to say on Lawfire®: gather the facts, examine the law, evaluate the arguments – and then decide for yourself!

Be sure not to miss LENS 27th Annual conference (livestream/no registration required)!  Agenda and links to attend virtually are found here.

You may also like...