Americans, and people throughout the world, are becoming increasingly aware that there are significant vulnerabilities in the Internet, and that there are malicious actors who are intent on exploiting those vulnerabilities. And Americans and others are beginning to appreciate the potential for harm that could result – harm to public safety, harm to the economy, and even harm to our capacity for self-government. North Korea has been identified in numerous news reports as one such malicious actor, and with the escalating tensions between the United States and North Korea, and with talk of war swirling across the news, it is especially timely to examine how international law operates in the cyber domain, and what the United States can do to defend itself from cyber attacks.
Many have rightly cautioned that cyber responses to unfriendly acts in the cyber domain carry an escalatory risk. It has been argued that the United States’ relatively greater dependence on cyber throughout its economy than North Korea (and Iran, Russia or China) make responsive acts in the cyber domain particularly risky and generally unwise. The greatest risk of escalation comes from miscalculation, and it is difficult to think of an area of State-to-State interaction where the risk of miscalculation is greater than in the cyber domain.
The failure to respond, however, carries its own risk of leading to a catastrophic escalation. A failure to respond can lead to a sense of impunity in the cyber domain that can lead to acts to which the victim finally feels it has no choice but to respond, and to respond so forcefully that escalation to catastrophe becomes a grave threat. For example, the failure to respond to the implantation of “kill” devices, designed to disrupt the power grid, could leave the perpetrator with the belief that its actions are invisible to the victim State, and that it could knock out the grid without facing a forceful response. If the kill devices resulted in harm to the grid that could not be overcome in a few hours or a few days (for example, by causing changes in operation of the grid that resulted in physical damage to such critical components as large transformers – which would take months or more to repair or replace), then the victim State could conclude that it has no choice but to bring the full force of its military power against the perpetrator, because that military power could seriously degrade over time as a result of the disruption of the grid. Misattribution – that is attribution to the wrong party – can occur, and that presents another risk of escalatory miscalculation; indeed, attribution is a challenge in the cyber domain that is fundamentally different from that in every other domain. But reasonable judgments must be and are made. Faced with a devastating cyber attack on its electric grid, the victim State will almost certainly act against whoever it believes most likely to have carried out the attack. Thus, decision makers must consider the entire escalatory pathway, including the risks that can result from the failure to respond adequately to a cyber attack as well as the risks that can result from responding.
Cyber Attacks Can Constitute an “Armed Attack”
There is no real dispute that a cyber “attack” can be an armed attack under international law, triggering the inherent right of self-defense recognized in the United Nations Charter – “Nothing in the present Charter shall impair the inherent right of individual or collective self-defence [sic] if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security.” The nature of a cyberattack can amount to an “armed attack” if the consequences, or purpose, of the attack are similar to the consequences of an attack by more conventional means. A cyberattack that destroys critical components of the power grid resulting in the widespread loss of electricity for months, with all the natural consequences of death, injury, and social chaos that would result, with damage comparable to that resulting from a physical bombing, could readily be viewed as an “armed attack.” But there would be more argument if the attack was unsuccessful – that is, if the purpose of the cyberattack was to destroy and disable the grid for an extended period, but the Nation’s defenses were adequate to prevent those consequences. For one thing, the assessment of the “purpose” would necessarily involve complex judgments of a highly technical nature, and there might be important reasons for the Government not to release all the evidence for that judgment (for example, to protect intelligence tactics, techniques, or procedures, or to avoid revealing how the defenses managed to thwart the purpose of the attack). Without the irrefutable evidence of actual harm, the judgment that the purpose of the attack is sufficient to make it an armed attack will be controversial at best.
Even with compelling evidence of the purpose, and even in the event of a successful attack, attribution of the attack to a State, such as North Korea, might also be controversial. The attribution of the thievery of e-mails from the Democratic National Committee to Russia by the U.S. Intelligence Community has itself been disputed, bizarrely, by the President of the United States, even as the President’s senior counsellor has asserted that attribution of cyber exploits is not so hard. Whatever the actual merits, it is clear that attribution will be controversial and that there will be many doubters—regardless of how compelling is the information in the possession of the United States. This is important because international law applies among States, and generally does not apply (at least directly) to the activities of nonstate actors. Although a State has an obligation to prevent attacks coming from its territory whether those attacks are sponsored by the territorial State or not, that obligation only goes to attacks that it is or should be aware of; and in the world of cyber even a State sponsored attack can at least seem to originate from the territory of some other State.
As a result of these complications, exercising the inherent right of self-defense (involving the use of force, such as kinetic action or a cyber counterattack) against a cyberattack that rises to the level of an armed attack would be controversial. But the impact of the cyberattack on U.S. targets could be so consequential that, whatever the controversy, the United States would feel compelled to act, and nothing would be off the table. The escalatory risks would be immense, but the risk of inaction in the face of a cyberattack that does rise to the level of a use of force could be just as great.
Responding to Cyber Attacks Below the Threshold of an “Armed Attack”
More controversial would be the question of what to do if a cyberattack attributed to North Korea did not rise to the level of a use of armed force. What if the cyberattack consisted of disrupting power to a few neighborhoods, for a few hours, or disrupting production at one or a handful of companies for a few days, or disrupting the reservation system of the Trump International Hotel? Clearly, each of those actions would be a violation of U.S. law, but would they be a violation of international law, and even if a violation of international law would they be enough to trigger the inherent right of self-defense?
Although the question of attribution would certainly be controversial (in part because these acts could be carried out by cyber gangs without State support), assuming that the cyberattack is the act of a State, that act could be considered to violate the principle of nonintervention. There are two critical elements necessary for an act to violate this principle – first, the act must be coercive in nature, and second, it must intrude into an area within the domaine réservé of the target State. In the context of the ongoing tensions with North Korea, it would be natural to see any of these acts – a neighborhood blackout, production disruption, or even the disruption of the reservation system of the Trump International Hotel – as coercive threats of graver harms unless the United States took acts, like lifting sanctions or refraining from seeking harsher sanctions. This implicit threat could be viewed as a coercive effort to change the foreign policy of the United States, which is an area within its domaine réservé. These acts would not trigger the right of self-defense, but they could justify the use of countermeasures – acts that would otherwise be illegal, but not if taken in proportionate response to an illegal intervention.
Limitations on the Right to Employ Countermeasures and on Their Utility
Countermeasures in international law are actions that are ordinarily unlawful but are justified as responses to unlawful acts by other States. Countermeasures are limited to actions affecting the State being targeted; actions violating the rights of other States cannot be justified as countermeasures. In addition, countermeasures do not alter the obligation to refrain from the threat or use of force, and must be designed to induce the State that is in violation of its obligations to come into compliance with those obligations, and when it does the countermeasure must terminate. Moreover, the countermeasure must be proportionate, taking into account the injury suffered as a result of the wrongful act being responded to and the gravity of the internationally wrongful act. (I bracket for now the idea that the injured State must also notify the responsible State of any decision to take a countermeasure, except to say that this demand may show why we need more flexibility in the cyber realm.)
The limitations applicable to countermeasures are not problematic in almost any case one can think of outside the cyber realm, but some of those limitations can be problematic in cyber. The most effective and proportionate countermeasure might well be to disable the servers from which the attack is coming or to otherwise take action on those servers that precludes their use in similar attacks in the future. Indeed, it is worth reflecting on how such defensive measures can involve, under the rules for countermeasures, a pure case of inducing the other State to comply with its legal obligations by denying it the specific capacity to do otherwise. However, the relevant computer servers could be inside the territory of a third State, and not within the territory of the State responsible for the attack. Taking proportionate action in the responsible State might be ineffective; the only effective action possible in that State might appear to be disproportionate, and it might have a troubling escalatory impact. For example, if North Korea is responsible for scattered short-term power outages in the United States, acting through servers located in third countries, a countermeasure limited to scattered power outages in North Korea might have essentially no effect, given the existing state of the North Korean power grid. A measure that resulted in a widespread outage in North Korea, even though arguably proportionate given the relative reliance of U.S. communities on the power grid compared to that of North Korean communities, could be perceived as escalatory, and inviting a broader attack on the U.S. grid. And taking action against servers from which the attack was launched but located in a third country, such as China, could risk escalation not only with North Korea but with China as well.
But the escalatory consequences of failing to respond with sufficient effect so as to stop an ongoing attack or to forestall similar future attacks also must be taken into account. That action might lead to escalation must not blind us to the risks associated with inaction. Either course – responding or failing to respond – may increase the risks of an escalatory cycle.
Taking action on the territory of a third State, without that State’s consent, would not be regarded as a valid countermeasure, unless that third State itself has violated an international legal obligation to the victim State (in this scenario, the United States). If the third State is made aware of the use of its territory to propagate an unlawful intervention in the domaine réservé of another State, and it refuses to take action to stop the intervention from continuing, then that third State will have made itself an appropriate target of countermeasures. However, the victim State might be unwilling to provide as much evidence as the third State might demand that equipment within its territory is being used to propagate an illegal intervention due to concerns with the protection of tactics, techniques, and procedures. The information the third State might demand could provide important clues on how the victim State’s defenses work, and could provide the third State, and perhaps also the attacking State, with a roadmap to better evade those defenses. Especially in cyber, we also need to envision scenarios in which there is simply no time to inform, let alone convince, the third State before taking urgent defensive measures.
A Route Out of the Quagmire?
One possible route out of this quagmire lies in exploring the legal status of purely defensive action with effects occurring within the territory of another State. By “purely defensive actions,” I mean actions affecting only cyber attacks emanating from one State – for example, a third-party State in whose territory servers involved in the cyberattack are located – without otherwise affecting facilities or equipment within that State. An example of a purely defensive action would be to disable the malicious software on the servers located in the third-party State without diminishing the functionality and operation of those servers. Such actions by the State affected by the cyber attack would not constitute a use of armed force, and would also not rise to the level of unlawful intervention.
Make no mistake – taking even such a limited action is almost certainly a violation of the domestic law of the country in which the effects occur. But violation of domestic law does not by itself render an action a violation of international law.
Certainly some argue that any action occurring within the territory of another State without that State’s permission and not justified as a countermeasure or as an exercise of the inherent right of self-defense (as a response to the use of armed force) would violate the sovereignty of the territorial State under international law. That is, some characterize any State action within another State that violates its domestic laws as a violation of “sovereign inviolability” and thus a violation of international law. But this position proves too much, trivializing international law as a subset of domestic law, and makes it impossible to understand the almost universal acceptance of espionage – including on foreign soil — as permissible under international law even while it is clearly wrongful as a matter of domestic law. For these reasons, it is sensible to treat the idea of “sovereign inviolability” as at best one among many principles — including, for example, the need of a State to be able to ensure that its people and its businesses have security from malicious attacks that are increasingly sophisticated and threatening to public health, safety, and prosperity that inform the construction of international law rules — to be considered in the development of the customary international law specifically applicable to the cyber domain.
How does this difference in the understanding of the legal framework play out in the scenario of North Korea directing cyber actions against facilities within the United States implicitly to coerce the United States to refrain from imposing, or intensifying, sanctions against Pyongyang? With respect to the legality of taking actions in North Korea itself to counter the malicious attacks coming from North Korea, there might not be much difference. If any violations of our domestic laws are a violation of international law, then all that would be required to justify countermeasures would be attribution to the North Korean State; whether the malicious actions were regarded as unlawful intervention would not matter. If “sovereign inviolability” is viewed as one principle only and not as a rule of international law, countermeasures still could be justified against North Korea, as long as the malicious attacks are attributed to the North Korean State and the attacks are considered to be a violation of the international law rule against “unlawful intervention.”
Taking purely defensive action in North Korea is unlikely to create a high risk of escalation, because the action would be limited to disabling actions that the North Koreans would probably be disclaiming any responsibility for in the first place. Whatever risks there are must be considered in the context of the risks of escalation that may result from the failure to take any action.
How would these different conceptions of international law play out with respect to the possibility of action inside the territory of a third State – in our hypothetical, China? With either view of international law, the concept of countermeasures would have no place, unless the Chinese State could be deemed to be violating a duty it owes to the United States. Treating China as responsible for the actions of North Korea would itself be escalatory, and it would expand the escalating tensions between the United States and North Korea to a far more capable and powerful party. If sovereign inviolability is treated as a rule of international law, then taking action – even purely defensive action – inside the territory of China would be a violation of international law. On the other hand, if sovereign inviolability is treated as a principle (not a rule) to be considered along with other principles — such as the obligation of States to defend the health, safety, and prosperity of their people — taking purely defensive action would not be viewed as violating international law.
Still, demonstrating a disrespect for the territorial limits of another State would create a possibility of blowback, and should be pursued only if there is a compelling reason for taking the defensive action within the territory of another State (in this example, China). No action should be taken if it is not necessary to prevent significant harm. Such forms of defensive action, for example, would not be necessary when there are options within the territory of the first State (here, the United States) that could adequately protect its interests or when the balance of the harms (even considering the potentially escalatory effects of inaction) do not clearly favor actions outside the first State’s territory. The balance of harm should include an assessment of the risks that the action will have effects beyond those intended.
Sometimes, it will be the case that the ability to handle the threat from a malicious cyber actor purely within the State subject to the attack will be inadequate. Sometimes, that is, stopping the attack outside one’s own network or outside one’s own country is the best way to prevent injury to yourself. In our example, if the U.S. action affects China, it is possible that China would protest that action, but it is also possible that China would pressure North Korea to cease using Chinese infrastructure to harass the United States, out of concern that that activity and the response of the United States to that activity creates tensions between the United States and China, and provides a rationale for other U.S. actions on the Chinese network. Articulating as limited a rationale as possible is critical to limiting the potential for escalation; it is near certain that whatever rationale is used will be used to justify actions by others against you. If the rationale is that anything goes in the cyber domain, that would be a very dangerous world for the United States, particularly given our reliance on cyber.
On the other hand, a rationale tied to the need to defend our citizens and our businesses from attacks, particularly by sophisticated State actors capable of bringing resources and capabilities beyond the ability of individuals and companies, and tied to avoiding any adverse effects in the third State, would reflect respect for the principle of sovereign inviolability, limited only by the compelling need to defend our own people.
Such a limited and targeted approach draws strength from the doctrine of necessity, as reflected in the Articles of Responsibility of States for Internationally Wrongful Acts. Under that doctrine,
Necessity many not be invoked by a State …unless the act:
(a) is the only way for the State to safeguard an essential interest against a grave and imminent peril; and
(b) does not seriously impair an essential interest of the State or States towards which the obligation exists, or of the international community as a whole.
The negative pregnant is that necessity can be invoked to preclude the wrongfulness of an act if it is the only way to safeguard an essential interest facing a grave and imminent peril, and if it does not seriously impair an essential interest of the other State. Purely defensive acts taken only if actions within the State targeted by malicious actions of others are ineffective probably meet the test for necessity. Whether such actions meet the element of “an essential interest” would need to be determined in a given case, depending on the nature of the threat and with some consideration of the risk of an escalatory spiral from inaction.
The United States, preferably working with others in the world community, should announce that it will take actions of a purely defensive nature to the extent that actions within the United States are not sufficient to protect its citizens and companies from malicious actors, whether States or nonstates, and calling on all States to prevent malicious attacks. It should not renounce the possibility of taking actions beyond the purely defensive if such actions are infeasible or ineffective in a given case.
The United States and other States cannot afford to allow malicious actors, whether States or nonstates, to operate with impunity. The lack of a meaningful and efficacious response to malicious attacks raises the risk of escalation by fostering miscalculations.
Taking purely defensive actions within the territory of other States is one tool that could better protect vital U.S. interests; is legally available, at least in some circumstances; and could be an important step toward reducing the risks of escalation resulting from inaction. It would demonstrate a seriousness of intent and a willingness to take action to protect the vital interests of the United States, without yet significantly affecting the vital interests of another State. Effectively communicating that message is the key to reducing the risk of escalation from inaction, without unduly raising the risk of escalation from action.