In a short essay in Foreign Policy, retired Admiral James Stavridis addresses recent election season cyber operations against the Democratic National Party that the U.S. has attributed to Russia. ADM Stavridis sketches five potential responses that he estimates would demonstrate U.S. willingness to “respond with a firm hand.”
His proposals implicate a broad range of issues, not least of which is whether, as a technical or political matter, any of them would actually prevent or deter these hacks. ADM Stavridis’s fourth proposal is especially intriguing. It suggests:
“the United States could use its own offensive cyber-tools to punish Russian hackers by knocking them off-line or even damaging their hardware. This response would be open to objections that it represents an unwarranted escalation. But under prevailing international law, if a nation has information of a nexus of offensive activity, has requested it to stop, and the offending nation declines to do so, that offensive center is liable for attack. The burden of proof for attribution would be higher in crafting such a response; it would be viable only if Washington had definitive information on the command and control centers that launched the hacking activity.” (emphasis added)
In addition to important issues for technicians, tacticians, and policymakers to consider, the proposal gives international lawyers a lot to think about.
A first legal consideration concerns the proposal’s purpose. As a response to perceived illegal activity by another State, the proposal sounds like what international law might call a countermeasure. Countermeasures are acts by a victim State (and only that State) against another State that would ordinarily be unlawful but are justified as responses to the offending State’s unlawful activity. Because of their potential to disrupt international peace and security, self-help methods such as countermeasures are subject to important limitations. With respect to the proposal, it is critical to clarify that the only lawful purpose for a countermeasure is to induce the offending State to cease its unlawful activity. Punishment, retribution, and for that matter, securing strategic advantage are not permissible purposes for countermeasures. To justify the proposal as a countermeasure, the U.S. would have to undertake it for the primary purpose of simply convincing Russia to cease unlawful hacks rather than “to punish.”
A second legal consideration concerns how to characterize the alleged Russian hacks. International law offers a menu of potential characterizations but the most appealing here are that the hacks amount to either a prohibited intervention in the internal affairs of the U.S. or an unlawful violation of U.S. sovereignty. That the hacks implicate the political process of the U.S. makes intervention an initially attractive characterization. Interference with another State’s system of internal governance is a classic example of prohibited intervention. Yet to amount to a prohibited intervention, interference must reach a matter committed exclusively to another State’s prerogative and it must be coercive. That is, the operation must force the target State into a course of action it would not otherwise undertake (and some might say, is powerless to prevent). That said, if a State were to hack election results of another State, a clearer case for prohibited intervention might be made—especially if the victim State were to swear-in the wrong candidate. In the case of the D.N.C. hacks, however, it is not overwhelmingly clear that the U.S. has been coerced in any significant respect (or at least not yet?). Although the prohibition of intervention is longstanding, States have not done much to clarify precisely where this threshold of coercion lies.
A stronger case might be made that the D.N.C. hacks amount to a violation of sovereignty. Sovereignty is at the heart of the international legal system and forms the basis of most rules of international law—including the prohibition on intervention and the prohibition on the use of force. Sovereignty guarantees that States are independent, equal, and have the exclusive right to control their territory. At present, a majority view might regard the D.N.C. hacks as violations of U.S. sovereignty, assuming they involved nonconsensual intrusion into cyber systems located in the U.S. There is, however, skepticism on this count. Momentum is building behind a view that mere compromises or thefts of data are not violations of sovereignty, but rather routine facets of espionage and competition among States. At present this appears to be a minority view but it is one that may gain support as the cyber domain matures. In fact, the relatively mild U.S. responses to hacks of its Office of Personnel Management may be evidence that the U.S. considers the hacks involved no internationally unlawful act (to be sure, there are other possible explanations). That the D.N.C. emails are private, rather than governmental data, might further influence some opinions with respect to a sovereignty violation.
A third legal consideration concerns the two specific cyber operations involved in ADM Stavridis’s fourth proposal. At present, it is not perfectly clear whether “knocking [hackers] off-line” would require legal justification because it is not clear that disrupting connectivity is internationally wrongful. The majority view is that mere disruptions of connectivity are neither unlawful uses of force nor, as such, prohibited interventions under international law. It is less clear, however, whether disruption of connectivity constitutes a lesser international wrong, such as a violation of sovereignty. The extent to which the operation would require nonconsensual entry (physical or virtual) into these systems, would be important to most international lawyers assessing sovereignty. And again, an emerging view might regard such disruptions to connectivity as unfriendly, but routine and internationally lawful acts.
The proposal to damage hardware presents a clearer case for unlawful conduct that requires a legal justification such as characterization as a countermeasure. Many international lawyers might even classify an operation that required a targeted State to replace or physically repair hardware as a prohibited use of force. While, as previously explained, some violations of international law can be justified as countermeasures, the overwhelming majority view holds that uses of force cannot. To be lawful, countermeasures must fall short of the use of force. Under this prevailing view, the U.S. could destroy hardware (in legal terms “use force”) only if the D.N.C. hacks amounted to “armed attacks” that gave rise to self-defense under the UN Charter—a highly unlikely determination. Admittedly, the U.S. has long made clear that it regards the Charter’s “armed attack” threshold to be a low one—synonymous, in fact, with the “use of force” threshold. Still, it is enormously difficult to imagine a persuasive characterization of the D.N.C. hacks as either uses of force or armed attacks. As a result, any use of force in response to the attacks – whether through cyber or other means – would be unlawful.
Finally, and while on the subject of persuasiveness, the fourth proposal implicates what international law has to say (and what it doesn’t have to say) about attribution. The proposal contends that the U.S. would need to have “information of a [Russian] nexus to offensive activity.” This reflects, in very general terms, the requirement that resort to self-help by States requires attribution to the target State. It also reflects wise advice as a matter of policy. But the proposal overstates the attribution requirement, or at least prescribes it prematurely, when it identifies a “burden of proof for attribution” and errs when it requires “definitive information.”
First, although attribution is essential to establishing State responsibility, international law governing State responsibility does not allocate burdens of proof. Mention of burdens of proof is generally appropriate only in reference to legal proceedings. In litigation or arbitration, a complaining party might carry the burden of proving their case. But to speak of a burden of proof in the fourth proposal is premature and, given U.S. reluctance to expose its national security decision making to international legal proceedings, unlikely to be practically
Second, the contention that “definitive information” is required to justify the operation overstates the law. Surprising to some, international law actually does not prescribe a standard of proof for States to undertake countermeasures or other means of self-help. That is, undertaking a countermeasure or act of self-defense, in the absence of definitive information, in the absence of compelling information, or even in the absence of persuasive information is not wrongful. To be sure, gathering proof of attribution is wise and failure to do so may lead a State to act in error. And if a State acts in error it bears responsibility. But the failure to do so does not itself amount to a wrongful act and therefore cannot be regarded as part of international law.
Some international lawyers might deduce a more general requirement for States to act reasonably. That is, States might be responsible for unreasonably deficient attribution efforts. However, a quick hypothetical questions this view.
Suppose State A suffers harmful hacks from a foreign source. State A launches countermeasures against State B. State A had no reliable evidence that State B was responsible for the hacks. They gathered no intelligence and conducted no cyber forensics—they simply guessed. Now suppose State A guessed correctly—it was State B all along.
Were State A’s countermeasures justified but unreasonable under the circumstances and therefore still wrongful? A freestanding duty of reasonableness with respect to attribution might suggest so. There may be attractive arguments in favor of developing such a rule. Incentivizing reasonable behavior is usually desirable. But at present, the better position is that international law leaves the questions of sufficiency of evidence, in both qualitative and quantitative terms to States’ discretion and accordingly to their willingness to take risk.
ADM Stavridis’s proposals reflect not only public sentiment (and resentment) concerning the state of affairs in cyberspace but also its legal complexity. And his post makes clear that legal considerations are but one of many inputs to decision-making in this realm. Of his five proposals, I suspect the fourth is the one many Americans are rooting for and might select given the chance. But the international legal justifications for that proposal may be just as important as communicating our willingness “to respond with a firm hand.”
Image: US Army’s CyberCenter of Excellence – Wikimedia Commons