The SolarWinds data breach has renewed debates over the application of international law to hostile cyber operations. As the staggering scope of the intrusion unfolds, U.S. leaders have likened the hack to an act of war, calling for immediate retaliation against the Russian government and its intelligence apparatus. Yet while domestic law may permit retaliatory operations, the U.S. has so far failed to articulate how existing sources of international law regulate hostile activity in cyberspace.
As the standard-bearer for the post-war liberal international order, the U.S. plays a unique role in developing and maintaining international regulatory regimes. Renowned Princeton University Professor G. John Ikenberry has famously characterized the United States as a “liberal leviathan,” responsible not only for providing hegemonic, global leadership but also for coordinating the development of multilateral institutions (e.g., the UN, NATO, WTO, etc.). That this charge should include cyber regulation is relatively uncontested by the U.S. and its allies. Debate remains, however, over whether existing frameworks for international conflict can sufficiently regulate ‘cyberwarfare’. The SolarWinds breach suggests that the answer is no.
Existing Framework
Existing international law prescribes rules for when a use of force is justified (jus ad bellum) and how armed conflict should be conducted (jus in bello). While these principles are suitable for governing conventional, kinetic uses of force, their applicability to cyberspace leaves much to be desired.
Jus Ad Bellum
Article 2, Section 4 of the United Nations Charter provides that all UN members shall refrain from “the threat or use of force against the territorial integrity or political independence of any state…” Drafted in the wake of WWII, this provision is generally construed as a prohibition on the use of physical armed force against member nations; acts that fall below the “physical force” threshold are outside the charter’s scope.
The international community has tried to reconcile the Article 2 physical force requirement with digital warfare. The UN Group of Governmental Experts has previously recommended that a cyber-attack resulting in significant physical damage falls within the Article 2 prohibition. Under this reading, cyber operations like the 2010 Stuxnet worm (which destroyed several Iranian uranium enrichment centrifuges) would constitute a prohibited use of force.
Some States have adopted more expansive readings of Article 2, urging the international community to review the entire scope of a cyber operation to assess its physicality. France, for instance, qualifies cyber operations impacting its economy as Article 2 uses of force. Still, most States consider the large majority of cyber operations to fall well below the Article 2 threshold. By this physicality standard, the SolarWinds breach would not constitute a use of force justifying armed retaliation (having had no physical impact to date). This limited reading of Article 2 precludes States from effectively deterring hostile cyber operations, while at the same time encouraging States to carry out hostile cyber-attacks that fall below the physical threshold.
Jus In Bello
Just war theory provides a framework governing conduct in war. The doctrine draws on principles of (1) distinction and (2) proportionality in regulating conflict between States. While these principles effectively govern conventional warfare, their utility begins to break down when applied to cyberspace.
Distinction. Additional Protocol I to the Geneva Conventions requires that States distinguish between civilian populations and combatants while directing military operations. Specifically, Articles 51 and 54 preclude indiscriminate attacks on civilians and “objects indispensable to the survival of civilian population” (including foodstuffs, crops, livestock, and drinking water). As applied to conventional warfare, these requirements are generally manageable; kinetic strikes should be confined to military installations and objectives. Applied to cyberspace, however, the distinction requirement is less coherent. Civil and military networks are often intertwined, with up to ninety-eight percent of all U.S. government communications traveling over civilian-owned and civilian-operated networks. The SolarWinds breach is a prime example of how a civil platform (SolarWinds Orion) was exploited to infiltrate government servers. Consequently, the distinction requirement becomes unwieldy in an environment where cyber-attacks may necessarily impact civil entities (or vice versa).
Proportionality. Additional Protocol I further provides that a use of force must be proportional to its military objectives. Article 51 prohibits attacks “which would be excessive in relation to the concrete and direct military advantage anticipated.” Cyberspace poses unique challenges under the proportionality doctrine, as cyber operations generally have indirect, unanticipated effects. For instance, consider a hypothetical where a cyber-attack is deployed to disable a military communications network. While such an attack would lack any kinetic characteristic (i.e., structural damage or direct injury), the downed network may prevent civilians from accessing emergency services, ultimately leading to casualties. Similarly, a downed power grid may impact a hospital’s ability to care for its patients (consider the WannaCry ransomware attack on English hospitals in 2017). Thus, proportionality requirements fail to sufficiently address the implications of cyber conflict.
A New Framework
A new regulatory scheme is needed to define and constrain the amorphous field of cyberwarfare. States must develop a multilateral framework that extends existing principles of international law into cyberspace, placing restrictions on authorized uses of ‘cyber force’ and defining the parameters of tolerable conduct. Fortunately, some progress has already been made in this area.
The Tallinn Manual is an academic publication drafted at the invitation of the NATO Cooperative Cyber Defense Centre of Excellence that proposes a framework for international law governing cyber warfare. While the entire manual is far too comprehensive to summarize here, relevant sections emphasize the need for the application of a “scale and effects” test to determine whether a hostile cyber operation meets the threshold of a prohibited use of force. This test, first proposed in an International Court of Justice decision (see Nicaragua v. United States), provides that cyber activity will amount to a use of force “if it results in effects of a scale and nature equivalent to those caused by kinetic activity which constitutes a use of force at international law.” The Tallinn analysis provides that several factors will influence this assessment, including the activity’s severity, directness, immediacy, origin state, and target.
Many States, such as Australia and the Netherlands, have informally adopted the principles outlined in the Tallinn Manual. However, the international community has yet to formally embrace the document in any binding UN Security Council resolution. Key actors in cyberspace, including the United States, should therefore take the following steps to ensure clarity in this area:
1. Publicly declare how the state and/or actor will apply international law to cyber operations.
States and other relevant actors should take after New Zealand and publicly declare how they will respond to hostile cyber operations. These statements would not only aid in establishing norms and parameters for the application of international law to cyber operations, but also help deter legally ambiguous cyber-attacks like the Solar Winds breach.
2. Introduce a resolution calling for a formal adoption of the principles enshrined in the Tallinn Manual.
While cyber regulation would likely face an uphill battle in the Security Council, UN member States should work to introduce a General Assembly resolution calling for the adoption of new principles for the application of international law to hostile cyber operations. These principles should draw from existing international law and documents like the Tallinn Manual.
3. Enforce international law pursuant to the “scales and effects” test.
Effective deterrence will require effective and consistent enforcement. States should seek to consistently apply new principles of international law to hostile cyber operations, whether in the form of sanctions, “hack back” campaigns, or other diplomatic coercion. The scope of enforcement should depend on the scale and effects of the hostile cyber operation.
Deterring cyberwarfare is a complex inquiry fraught with obsolete practices and ineffective regulation. States must be willing to develop a comprehensive international framework regulating permitted uses of ‘cyber force’, particularly as existing sources of international law fail to address the full scope of hostile cyber activity.
Author Biography: Chris Shoemaker is a moderator for the International Law and Policy Brief (ILPB) at The George Washington University Law School. He received a B.A. in Political Science from Miami University in Oxford, Ohio.