Concerns about the vulnerability of infrastructure to cyber attacks were highlighted in two recent news articles. Last month, the Wall Street Journal reported that in 2013, Iranian hackers infiltrated the control system of a dam 20 miles outside of New York City. Just 11 days later, reports emerged that Ukraine is investigating a cyber operation against its power grid that resulted in a large area being left without energy. The first article calls attention to vulnerabilities in the US’s infrastructure, while the second illustrates the potential consequences of a cyber operation against it (or another country’s infrastructure). As the investigation in Ukraine is still ongoing, this post will focus on the WSJ’s report, which raises many questions on its own.
How should this event be characterized? Is it an act of cyberwar? Is it an inter-state attack? What measures can the United States take in response to this event? As these types of incidents increase in frequency, it is important to understand when and how the US may respond to them. Such responses depend on the characterization of the event under international law. Because these are persistent questions (and likely to become more so), it’s useful to juxtapose the Tallinn Manual on the International Law Applicable to Cyber Warfare and the US interpretation of the applicable international law to frame the analysis. The ways in which the Tallinn Manual and the US apply international law to malicious cyber operations leave room in some situations for differing conclusions on how States should respond to malicious cyber operations.
Cyber Operations as Armed Attacks
The discussion that follows focuses on whether or not the incursion into the dam was an armed attack, the threshold at which a State may take forceful action in self-defense. A State’s permissible responses to cyber actions that do not rise to the level of an armed attack have been analyzed in the context of the Sony hack in an earlier Just Security post. Yet, there are important differences between the Sony and dam hacks that raise the issue of what constitutes an armed attack. Most significantly, whereas Sony is a corporation, the dam is part of the US’s infrastructure and is located near a major metropolitan area, thereby raising the stakes. And of course, as a general matter, the consequences of cyber operations targeting a State’s infrastructure are potentially far more destructive and injurious than those against corporations. As a result, it is more likely that cyber attacks on physical infrastructure will amount to an armed attack, though it must be assessed on a case-by-case basis and is far from a foregone conclusion.
To properly characterize the dam incident under international law, and assess how the United States could have responded, it is crucial to understand what happened … and what did not. According to the WSJ, the hackers probed the dam’s systems, but they did not take control of it. No one was killed or injured. And unlike a 2014 incident in Germany, seemingly no equipment was damaged. It is also important to know who conducted the operation: was it the Iranian government or Iranian vigilantes acting independently of the government? The WSJ appears to assume that the hackers were employed by Iran’s government.
Under the Tallinn Manual’s approach, cyber actions that qualify as an armed attack open the door to a forceful response, by either cyber or non-cyber means, pursuant to the law of self-defense. The US view is precisely the same. However, as is explained in more depth below, the Tallinn Manual and the US government adopt different thresholds for determining when a cyber operation constitutes an armed attack.
The Tallinn Manual Approach
The majority view in the international community draws a distinction between the notions of “use of force” and “armed attack.” Article 2(4) of the UN Charter and customary international law prohibits the threat or use of force by one State against another. The State taking the action that amounts to a use of force has committed an “internationally wrongful act” (i.e., it violated international law). Article 51 of the UN Charter, by contrast, is not about whether international law has been violated, but rather about responses, and more specifically responses to an armed attack. It provides that a State may respond forcefully in self-defense when it is the victim of an armed attack. In its 1986 Nicaragua judgment, the International Court of Justice stated that an action’s “scale and effects” are the distinguishing criteria between actions that qualify only as a use of force and those uses of force that rise to the level of an armed attack; hence, the so-called “gap” between the two thresholds. Under this approach, while all armed attacks qualify as a use of force, not all uses of force are armed attacks.
The International Group of Experts (IGE) that produced the Tallinn Manual examined this matter in the context of cyber actions. It began by assessing when a cyber operation constitutes a use of force. The group agreed that a physically destructive or injurious use of force clearly qualifies. They also agreed that certain operations are excluded from the use of force ambit, such as “non-destructive cyber psychological operations intended solely to undermine the confidence in an economy.” And they agreed that a cyber operation need not be physically destructive or injurious to cross the use of force threshold. Unfortunately, they were unable to achieve consensus on a bright-line test in this regard. Instead, the IGE proffered eight non-exhaustive factors that are likely to be considered by States faced with assessing whether a cyber operation directed against them, or one they may launch, is a use of force (and would therefore be unlawful unless engaged in pursuant to Security Council authorization or self-defense). The eight factors identified by the IGE are severity, immediacy, directness, invasiveness, measurability, military character, state involvement, and presumptive legality.
With respect to the armed attack threshold, the IGE “agreed that any use of force that injures or kills persons or damages or destroys property would” amount to an armed attack. It “also agreed that acts of cyber intelligence gathering and cyber theft, as well as cyber operations that involve brief or periodic interruption of non-essential cyber services, do not qualify as armed attacks.” The IGE, however, could not achieve consensus on whether many other cyber operations that do not result in injury or destruction could rise to that level. Some of the experts were of the view that injury or destruction was required for a cyber action to be an armed attack. Others argued that the consequences of a cyber operation’s effects should serve as the basis for qualifying an action as an armed attack. Those experts asserted, using the severity of the effects of an attack as a benchmark, that a “cyber operation directed against major components (systems) of a State’s critical infrastructure that causes severe, albeit not destructive, effects would qualify as an armed attack.”
The US Approach
The US view is that there is no difference between the use of force and armed attack thresholds. Harold Koh, the then-legal adviser at the State Department, explained in 2012 that “[c]yber activities that proximately result in death, injury, or significant destruction would likely be viewed as a use of force.” He noted that “[c]ommonly cited examples of cyber activity that would constitute a use of force include, for example: (1) operations that trigger a nuclear plant meltdown; (2) operations that open a dam above a populated area causing destruction; or (3) operations that disable air traffic control resulting in airplane crashes.” Koh stated that when “assessing whether an event constituted a use of force in or through cyberspace, we must evaluate factors: including the context of the event, the actor perpetrating the action (recognizing challenging issues of attribution in cyberspace), the target and location, effects and intent, among other possible issues.” Up to this point, The IGE and the United States were marching in lock-step.
However, Koh went on to explain that “the United States has for a long time taken the position that the inherent right of self-defense potentially applies against any illegal use of force. In our view, there is no threshold for a use of deadly force to qualify as an ‘armed attack’ that may warrant a forcible response.” In other words, there is no gap. Herein lies the potential difference between the Tallinn Manual approach and that of the United States. If the US position tracks the Tallinn Manual assertion that non-destructive or injurious cyber operations can qualify as a use of force (as it almost certainly does), then under the US’s reasoning, those operations are equally armed attacks that permit a forceful cyber or non-cyber response. Recall that many members of the IGE were unwilling to go this far. And all members of the IGE concurred that there were certain uses of force that were not armed attacks.
Analyzing the Dam Attack
With this in mind, let’s take a look at the dam incident again. Assuming the accuracy of the WSJ’s report, and based on the eight factors discussed above, it is unlikely that the IGE would characterize the operation as a use of force, and thus it would not constitute an armed attack. While the effects of this action appear to have been fairly direct and immediate, they were not severe. No one was killed or injured. No equipment was damaged or destroyed, and there was no reported break in services provided by the dam. Likewise, the invasiveness was low. For instance, this was not a high-security Defense Department system. Moreover, the operation was a mere probe, not one that involved seizing control of the systems or rendering them useless (i.e., the “measurability” of the attack was relatively low).
Under the Koh analysis, it is also unlikely that the incident would be seen as a use of force by the US. While the cyber action was part of a larger movement against the websites of US banks, and although the target was located within 20 miles of New York City, it was a “very, very small” dam. There were no known adverse effects from the cyber action, nor any severe ones that were reasonably foreseeable.
Interestingly, during the government’s process of identifying the targeted dam, it was mistakenly thought that an Oregon dam, which is 10 times taller than the New York dam, was the objective. A city of over 9,000 people was downstream from the Oregon dam. If this dam had, in fact, been targeted, and if the operation risked release of the waters, the potential for injury, death, or damage would have been great. Under both the Tallinn Manual and US approaches, such a cyber operation would not only qualify as a use of force, but also as an armed attack justifying a forceful response. However, more ambiguity enters the analysis if it was unclear whether or not the operation risked the release of the waters. It is in this circumstance that the differences between the two approaches may become apparent.
Another important wrinkle that’s worth pointing out: If cyber operation against the dam had caused consequences at the armed attack level, the issue of the perpetrator’s identity would have become prominent. If the theoretical armed attack was perpetrated by the Iranian government, or on its behalf by a non-State group, the Article 51 right of self-defense would clearly attach. Moreover, both the IGE and the US government agree that non-State actors, even when not acting on a State’s behalf, may conduct armed attacks that permit forceful responses in self-defense. This position is supported by extensive State practice and opinio juris. Indeed, States have repeatedly invoked the right of self-defense against non-state actors. For example, the United States did so in response to the 9/11 attacks, a position that was supported by numerous Security Council resolutions and by scores of offers of support in collective self-defense from other States. More recently, self-defense was cited in 2014 by the United Kingdom as a possible legal basis for aid to Iraq in its fight against ISIL, while in 2015, Russia invoked the right following the destruction of one of its passenger planes in Egypt by terrorists.
However, despite this record, many international law specialists, and seemingly the International Court of Justice (based on its Wall Advisory Opinion and Congo judgment), take a much more restrictive approach. In their view, the acts of non-State actors only implicate the right of self-defense when engaged in on behalf of a State as described in the Nicaragua judgment. Therefore, even when an action is at the armed attack level of severity, if conducted by a non-State group acting independently of any State, the target State may not respond pursuant to Article 51 (and its customary law counterpart).
Responses to Hacks That Aren’t “Armed Attacks” or a “Use of Force”
The fact that a cyber operation does not qualify as an armed attack does not necessarily preclude a response. A state may still turn to countermeasures for recourse. In particular, the International Law Commission’s Articles on State Responsibility acknowledge that customary international law permits “countermeasures” in response to internationally wrongful acts. A countermeasure is an act that would otherwise be internationally wrongful but for the fact that it is in response to the breach of a legal obligation owed to the State taking it (i.e., the “injured” State) by the State that breached the obligation (i.e., the “responsible” State). Countermeasures are limited by, among other things, the principle of proportionality and, under the majority view, may not rise to the level of a use of force. In the cyber context, the paradigmatic countermeasure is hacking back. Although beyond the scope of this post, it merits mention that it is not at all clear that a cyber probe for the sole purpose of gathering information is internationally wrongful.
Another possible State response to cyber operations directed against it comes in the form of retorsion. The key difference between acts of retorsion and countermeasures is that retorsion involves action that is per se lawful, if unfriendly. It can include such measures as limitations on normal diplomatic relations, economic sanctions, or the withdrawal of aid. There is no question whatsoever that acts of retorsion would be lawful and appropriate in response to cyber operations like those against the dam. This would be true even if such cyber operations are lawful. For instance, assuming merely for the sake of analysis that the dam operation was not an internationally wrongful act, there would be no reason that the United States could not respond in kind. The question of whether to engage in retorsion is, of course, always a matter of policy, not law.
* * *
Even though the Tallinn Manual and US approaches produced the same conclusion in this case (that a forceful response was not lawful), international law does not leave a State without recourse. Nor will the two frameworks always produce the same results. When looking at any future State-level cyber attacks — particularly against the US — it’s worth bearing both (and their differences) in mind.
The views expressed are those of the author in his personal capacity and do not necessarily represent the views of the US Government, Department of Defense, or its components.