Cyberoperations, Cyberattacks and Cyberwarfare: Dangers Posed by Ambiguity and Uncertainty in the International Regulatory Framework

Author: Clayton Cheney, 2018.

“The rapid development of information and communication technologies over the past several decades have created numerous opportunities and challenges for governments around cybersecurity, encompassing a wide range of issues from cybercrime – in the form of theft or exploitation – to cyberwarfare between states…”

Image from Pixabay under Creative Commons.

The rapid development of information and communication technologies over the past several decades have created numerous opportunities and challenges for governments around cybersecurity, encompassing a wide range of issues from cybercrime – in the form of theft or exploitation – to cyberwarfare between states. The largest current threat to cybersecurity is the potential for cyberwarfare and cyberattacks between states to escalate into inter-state conflict using conventional military weapons. While the likelihood of cyberactivities leading to a full-scale international conflict may seem remote, the increasing technological capabilities of states and non-state actors means that this theoretical threat is increasingly plausible. Furthermore, the horrific consequences for nations and their populations associated with inter-state conflict makes the risk of potential cyberwarfare, and the subsequent actions of the conflicting nations, the greatest cybersecurity threat facing the world today.

Cyberwarfare can be defined as: “A state-sponsored cyberattack against another state’s computers or information networks. To be considered cyberwarfare, the cyberattacks must amount to an ‘armed attack’ and be committed in conjunction with real-world, physical attacks” (Maras 156). This definition highlights an important aspect of cyberwarfare, that a cyberattack be made in conjunction with real-world, physical attacks. As the capabilities and sophistication of cyberoperations develop, the possibility of a cyberattack with the same devastating consequences as a kinetic attack using traditional military forces, may become a reality. Fortunately, no cyberoperation or cyberattack to date has resulted in the death or injury of any people. Before these capabilities are developed and used, a legal regulatory framework governing cyberoperations needs to be established.

There are numerous issues that must be resolved to create a peaceful and stable international cyberspace, but this article will highlight two especially problematic areas that could lead to an international conflict between states. First, the lack of an international consensus with regards to the applicability of international humanitarian law (IHL), including the right to self-defense in relation to cyberactivities, creates the possibility for certain cyberactivities to escalate into a more serious international conflict. Second, the difficultly in being able to attribute cyberactivities to a specific state produces the possibility that an international conflict could be initiated due to inadequate or incorrect information regarding the party responsible for particular cyberactivities. The article will outline and evaluate measures undertaken by states and international organizations to address these issues, including measures taken by the United States, the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE), and NATO. Finally, this paper will provide recommendations on how the international community and international organizations can minimize the possibility of cyberwarfare between states and enhance international peace and security in cyberspace.

Lack of an Established International Legal Framework for Cyberactivities

Legal frameworks are created to restrain the conduct of those subject to the jurisdiction of the framework. In the context of international and non-international armed conflicts, IHL provides the regulatory framework that regulates the conduct and use of force by state and non-state actors (International Committee of the Red Cross). Thus, the establishment of an international legal framework regulating cyberspace and attributing principles for specific cyberactivities is essential to maintaining international peace and security.

Applicability of IHL, the Right to Self-Defense and Ambiguities in the Interpretation of IHL Principles in Cyberspace

There is no international consensus that IHL and Article 51 of the UN Charter are applicable to cyber space (Schmitt “US Transparency Regarding International Law in Cyberspace”). Even if an international consensus is achieved with regard to the applicability of these legal principles, ambiguity regarding the interpretation of IHL and the right to self-defense in the context of cyberspace remains.

The applicability of IHL and Article 51 of the UN Charter is important because the conduct of a state, and its agents, in cyberspace may be subject to certain restraints and may permit certain responses to cyberactivity by another state if these legal principles apply. While the United States has made its position clear, that international law is applicable to cyberspace, “this view has not necessarily been universal in the international community. At least one country has questioned whether existing bodies of international law apply to the cutting-edge issues presented by the internet” (Koh). During multilateral engagements on cybersecurity issues, attempts by the United States to include, in the outcome document, reference to the right to self-defense in response to an armed attack in cyberspace was rejected by Russia, China, Pakistan, Malaysia and Belarus (Marks). The lack of consensus creates a situation where a state that interprets the cyberactivity of another state as an armed attack may respond with their own cyberattack or the use of traditional military tactics, thus escalating the situation into an international armed conflict with all its deleterious consequences.

Even if an international consensus is established on the applicability of IHL and Article 51 of the UN Charter to cyberspace, difficulties in applying these legal norms to new and innovative technological developments will remain. Article 2(4) of the UN Charter prohibits the use of force by a State except under certain circumstances (UN Charter Article 2(4)). Most notably, Article 51 of the UN Charter states, “Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security” (UN Charter Article 51). The interpretation of what cyberactivities constitute an armed attack is vital because “‘attack’ is a legal term of art that has specific meaning in the context of two very different bodies of international law governing State behaviour in times of crisis or conflict. In both cases, the term represents a consequential threshold that delineates the legality of particular cyberoperations, and, in some cases, the lawfulness of responses thereto” (Schmitt “‘Attack’ as a Term of Art in International Law”). Thus, determining what types of cyberactivities by states constitute an armed attack is essential to avoid inter-state conflict initiated by cyberactivity that a state interprets as triggering its right to use force under the doctrine of self-defense. As Schmitt points out, despite the emergence of cyberoperations in inter-state relations, there has been no universally accepted reconceptualization of the notion of ‘armed attack’ by the international community (Schmitt “‘Attack’ as a Term of Art in International Law”).

What constitutes an armed attack should focus on the consequences of the cyberactivity and “a defensible interpretation of the phrase is any action that causes death or injury (including illness and severe suffering) to individuals or damage or destruction of objects” (Schmitt “’Attack’ as a Term of Art in International Law”). Using such an interpretation does provide some clarity as to what types of cyberoperations would qualify as an armed attack. Notably, attacks on critical infrastructure that result, or could result, in death, serious human injury or significant property damage would certainly qualify. However, other types of cyberoperations could create uncertainty as to whether an armed attack has taken place. Any cyberactivity related to the manipulation or destruction of data should not qualify as an armed attack because “qualifying such action would dramatically lower the threshold at which States would enjoy a right to forcefully respond to actions directed at them. This would contravene international law’s general presumption against the resort to force in the absence of authorization by the Security Council” (Schmitt “’Attack’ as a Term of Art in International Law”). Lowering the threshold triggering a nation’s right to self-defense could lead to increased inter-state conflict, as nations could claim that their response to cyberactivity, whether their response is cyber in nature or not, is legitimate and legal under the doctrine of the right to self-defense. Clearly establishing an international consensus would provide notice to all nations as to what cyberactivities are not permissible and could warrant a response by another State, whether it employs the use of force through cyber or traditional military means.

IHL regulates the conduct and use of force by parties to an armed conflict and this conduct is regulated by four fundamental principles: necessity, humanity, distinction, and proportionality (“Legality of the Threat or Use of Nuclear Weapons”). The UN GGE and its Member States have recognized that the principles of necessity, humanity, distinction, and proportionality apply to cyberactivities (“Report of the Group of Governmental Experts”). However, ambiguity remains with regard to how these principles are interpreted and applied to specific cyberoperations, especially with regard to the principles of distinction and proportionality. According to Article 48 of Additional Protocol I to the Geneva Conventions, the principle of distinction requires parties to a conflict to “distinguish between the civilian population and combatants and between civilian objects and military objectives and accordingly shall direct their operations only against military objectives” (Protocol Additional to the Geneva Conventions). Distinguishing between military and civilian targets is complicated in cyberspace, as the difference between communication infrastructure that is military and civilian is not always clear. Harold Koh, a former Legal Advisor to the United States Department of State, highlighted this issue stating, “Parties to an armed conflict will need to assess the potential effects of a cyberattack on computers that are not military objectives, such as private, civilian computers that hold no military significance, but may be networked to computers that are valid military objectives” (Koh 9). The interconnectedness of military and civilian computer networks makes it difficult for a cyberattack to be directed at a legitimate military target without causing serious harm to civilian targets.

The IHL principle of proportionality prohibits the use of an indiscriminate attack, including “an attack which may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated” (Additional Protocol to the Geneva Conventions Article 51(5)). It restricts the instrumentalities and amount of force that is permissible in a given situation. In cyberspace, it is difficult to anticipate the full scope of the consequences of a cyberoperation, which makes a proportionality assessment extremely difficult to conduct. When a nation is considering an armed attack in cyberspace, numerous factors need to be considered, including the effect of the cyberoperations on military and civilian infrastructure, the potential for physical injury or deaths, and the possible harmful effects to non-military civilian objects that may be networked to computers that are legitimate military targets (Koh 5). Further complicating the issue is the difficulty of determining a proportional response to an act of cyberwarfare that initiates inter-State conflict. The United States has indicated that “there is no legal requirement that the response to a cyber armed attack take the form of a cyberaction, as long as the response meets the requirements of necessity and proportionality” (Koh 4). While determining what type of cyber response is proportional to an initial cyberattack may be difficult, determining what type of conventional military response would be proportional to a cyberattack would be even more difficult. The challenge increases the likelihood that a response could significantly escalate an inter-State conflict and its harmful effects.

IHL principles provide an important regulatory framework to constrain the conduct of parties to a conflict; however, this regulatory framework has not been sufficiently developed in the context of cyberoperations, which presents a credible threat to international peace and security.

Attribution, Proxies, and Non-State Actors

The difficulty in determining what parties are responsible for a specific cyberoperation poses an additional risk in the context of cyberattacks and potential cyberwarfare. Specifically, the potential for plausible deniability, cyberattacks via proxies, and non-state actors conducting cyberoperations while attempting to portray the activities as the conduct of a state party poses a risk that an avoidable inter-state conflict will materialize.

In cyberspace, “A significant source of concern is plausible deniability, which is defined as the ability of actor A (the attacker) to launch a cyberattack against actor B (the target) in a manner such that it is difficult to prove A’s responsibility” (Liff 412). In conventional warfare, determining what party is responsible for specific conduct is relatively obvious, which significantly reduces the possibility of misattribution for the conduct. The unique characteristics of cyberactivity makes attribution problematic, as “a cyberattack can traverse multiple servers in multiple countries, the authorities in those intervening countries might be unable or unwilling to help locate the originating source of the attack, and so even a technologically sophisticated victim might be unable reliably to attribute the attack to a perpetrator” (Eberle 56). This creates two significant problems. First, it is not possible to adequately respond to deter similar cyberattacks in the future, which could increase the likelihood that such attacks will occur. Second, there is a real possibility that a cyberattack could be incorrectly attributed to a party and result in the use of force against that party; thus, inter-state conflict could materialize because of an immediate retaliatory strike based on circumstantial and incorrect evidence (Liff 412).

Compounding the problems associated with attribution is the fact that proxies can be used to obfuscate the party, or parties, responsible for the cyberactivities. Under international law, a State is responsible for the acts of entities “under the direction or control” of the state (“Draft Articles on Responsibility of States for Internationally Wrongful Acts” 47). While there is no consensus on the degree of control necessary for State responsibility, the International Court of Justice in the Nicaragua v. United States of America case established an “effective control” standard, while the International Criminal Tribunal for the Former Yugoslavia established an “overall control” standard in the Tadic case (“Military and Paramilitary Activities in and Against Nicaragua”; “Prosecutor v. Tadic”). The United States has made its position clear with regard to the use of proxies by States in cyberspace, “If a state exercises a sufficient degree of control over an ostensibly private person or group of persons committing an internationally wrongful act, the state assumes responsibility for the act, just as if official agents of the state itself had committed it” (Koh 6). In light of the increase in cyberactivities conducted through proxies, clear standards need to be established with regard to what level of control over an entity or individual is required to attribute responsibility for their action to a State. Establishing a standard could prevent states from using proxies to engage in cyberoperations against other states and it may also provide clarity for states on appropriate responses under IHL.

While it is unlikely that non-state actors currently possess the capabilities to mount a significant cyberattack against a state, cyber capabilities become more readily available to individuals across the globe and non-state actors may become more involved in conducting cyberoperations against states. The potential for non-state actors, such as terrorist organizations, to conduct a cyberattack increases the possibility of conflict, since an objective of a terrorist organization may be to use cyber-framing to provoke a conflict between states (Liff 422). The possibility that a terrorist organization could initiate an inter-state conflict through strategic cyber-framing is low, but the potential consequences for states involved would be extremely harmful. Thus, governments and policymakers must be aware of the possibility of such cyber-framing when attempting to determine the party or parties responsible for specific cyberoperations.

Measures Undertaken by States and Inter-Governmental Organizations

The United States has been at the forefront of efforts to establish that IHL and its norms are applicable to cyberactivities, including through publicly stating its official position and engaging in multi-lateral efforts to establish an international consensus on international legal issues in cyberspace. While some nations have been resistant to fully embracing these efforts, these nations have indicated that they believe a new regulatory framework needs to be established for cyberactivities, including by proposing a Code of Conduct for information and communication networks (“Letter Dated 9 January 2015”).

Since 2012, the United States government began to publicly declare its position regarding the relationship between international law and cyberspace. In 2012, while an acting Legal Advisor at the United States Department of State, Mr. Koh publicly stated that it was the position of the United States that “international law principles do apply in cyberspace” (Koh 3). State Department Legal Advisor Brian Egan further developed the United States’ position regarding the applicability of established international legal principles to cyberactivities during a 2016 speech “Remarks on International Law and Stability in Cyberspace”). While merely announcing publicly to the international community the official position of the United States government on these issues may seem like a modest measure, it was an important first step towards building an international legal framework for cyberspace.

President Barack Obama established the Commission on Enhancing National Cybersecurity through Executive Order 1378 (Executive Order 1378). The Commission released its final report on December 1, 2016, which included 16 recommendations and 53 action items. The report called for the establishment of a cybersecurity ambassador, urged the United States to assist nations in building their cybersecurity capacity and called for continued efforts towards establishing an international consensus as to the application of international law in cyberspace (Eichensehr). It is important that the United States continue to lead efforts towards creating international agreement on the difficult issues presented by conduct in cyberspace.

The UN has also taken a leading role in facilitating collaboration within the international community by establishing the UN GGE. The UN GGE was established by UN General Assembly Resolution 68/243 and is comprised of 20 experts from Member States (UN General Assembly resolution 68/243). The UN GGE report released on July 22, 2015, made important advances in establishing that certain international legal norms were applicable in cyberspace. Notably, the report established that states must adhere to the principles of international law, that they should refrain from using proxies to commit internationally wrongful acts, and that the principles of humanity, necessity, proportionality, and distinction apply to information and communication technologies (“Report of the Group of Governmental Experts”). However, the UN GGE’s report made some prominent omissions, including failing to reference either IHL or the right to self-defense. The UN GGE is a crucial multi-lateral effort in establishing a cyberactivities legal framework, especially given that it involves collaboration between numerous world powers, including prominent European nations, the United States, China and Russia. Building on the 2015 UN GGE report should be a central focus of the UN and the international community.

Recognizing that cyberoperations by State parties constituted a credible threat to international peace, NATO began the Tallinn Manual Process to address the lack of an international legal framework for cyberactivities. The Tallinn Manual Process was initiated following transborder cyberoperations conducted against Estonia in 2007 and by Russia against Georgia in 2008 during an international armed conflict between the two States (Schmitt “US Transparency Regarding International Law in Cyberspace”). It is a collaborative process between the NATO Cooperative Cyber Defence Centre for Excellence and leading legal scholars and practitioners in the field of cyberspace, resulting in the release of the Tallinn Manual in 2013 (Schmitt “US Transparency Regarding International Law in Cyberspace”).

The Tallinn Manual Process, and the regulatory framework set out in the manuals, has unique importance due to the nature of the North Atlantic Treaty. Specifically, Article 5 of the North Atlantic Treaty states:

“an armed attack against one or more of them in Europe or North America shall be considered an attack against them all and consequently they agree that, if such an armed attack occurs, each of them, in exercise of the right of individual or collective self-defence recognised by Article 51 of the Charter of the United Nations, will assist the Party or Parties so attacked by taking forthwith, individually and in concert with the other Parties, such action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area” (North Atlantic Treaty Article 5).

Because of this obligation, it is especially important that the position of NATO countries with regard to the regulatory framework for cyberspace, be clearly established. Other nations will then be on notice as to how the cyberoperations of a State will be interpreted by NATO nations, which could help avoid an inadvertent conflict.

While the measures undertaken by the United States and inter-governmental organizations have laid some of the groundwork to build on, an intensification of efforts by all parties to address the most contentious issues is needed. Far too often, legal frameworks are established in reaction to real world developments, but in the cyberwarfare context proactively establishing an international framework could help avoid a serious inter-state armed conflict.

Recommendations and Conclusion

While the measures undertaken by the United States and inter-governmental organizations are important to beginning the process of establishing a robust international legal framework to regulate cyberspace, these efforts need to be intensified. There are additional measures that States, international organizations, and inter-governmental organizations can take to mitigate the threats posed by unregulated international cyberactivities of state and non-state actors. The recommendations of this paper are the following:

• The United States should further develop its positions with regard to international law and cyberactivities and make these positions publicly known, including by clearly delineating which types of activities would constitute an armed attack in cyberspace. The United States should encourage other nations, allies as well as non-allies, to make their position on these issues publicly known. The more nations can be on notice as to the position of other nations, the less likely it is that an avoidable inter-state conflict will materialize.
• Global powers, including the United States, the European Union, Russia, and China, should engage in a quadrilateral effort to resolve differences in their positions regarding international law and IHL and their applicability to cyberactivities.
• All nations should avoid engaging in provocative cyberactivities that could be interpreted as hostile acts or even armed attacks against other nations, especially until there is a greater understanding and agreement between nations as to what types of cyberactivities could constitute an armed attack, as envisaged by Article 51 of the UN Charter.
• The UN GGE should intensify its multi-lateral efforts to establish an international consensus surrounding the legal framework regulating inter-state cyberactivities by establishing a non-exhaustive list of cyberactivities that would constitute an armed attack, triggering a State’s right to use force under the doctrine of self-defense.
• Multi-lateral efforts should delineate what standard of control is required in order to attribute the cyberactivities of a proxy to a State.
• An international convention should be established for international legal norms in cyberspace. This convention not replace the IHL framework for regulating cyberactivities during inter-State conflict, but rather codify and supplement such a framework.
• A judicial or quasi-judicial body should be established to address cyberactivities between states that do not amount to armed attacks. In this way, states that conduct malicious cyberoperations may still be held accountable for their conduct without the risk of escalating the situation into an inter-state conflict.
• The Assembly of States Parties to the Rome Statute, the governing statutory framework for the International Criminal Court, should amend Rome Statute Article 8, which defines the Crime of Aggression, to include certain cyberactivities. This could include creating a non-exhaustive list of cyberactivities, such as targeting critical infrastructure, which would qualify as a constitutive act of aggression if committed against another State.

The lack of a robust international legal framework regulating the conduct of States in cyberspace presents the greatest cybersecurity threat due to the risk that such activity could lead inter-State conflict using conventional military weapons. As was evidenced by Russian meddling in the 2016 elections in the United States, cyberoperations are increasingly becoming a tool of State parties. The international community needs to take proactive steps to address this issue by creating an international regulatory framework that constrains the conduct of States in the cybersphere before the cyberactivities of a State escalates into an inter-State armed conflict.

Works Cited

Eberle, Christopher. “Just War and Cyber War.” Journal of Military Ethics, vol. 12, no. 1, 2013, pp. 54-67.

Egan, Brian. “Remarks on International Law and Stability in Cyberspace.” Berkeley Law School. Berkeley. 10 November 2016.

Eichensehr, Kristen. “The Economic Incentives for International Cybersecurity Coordination.” Just Security, 6 December 2016, https://www.justsecurity.org/35310/economic-incentives-international-cybersecurity-coordination/. Accessed 15 December 2016.

Exec. Order No. 1378, 3 C.F.R. 7441 (2016).

General Assembly resolution 68/243, Developments in the field of information and telecommunications in the context of international security, A/RES/68/243 (9 January 2014).

International Committee of the Red Cross. “International Humanitarian Law and International Human Rights Law Similarities and Differences.” International Committee of the Red Cross, January 2003, https://www.icrc.org/en/document/international-humanitarian-law-and-international-human-rights-law-similarities-and. Accessed 12 December 2016.

Koh, Harold. “International Law in Cyberspace.” Harvard International Law Journal Online, vol. 54, 2012, pp. 1-12.

Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion, 1996 I.C.J. 226 (July 8)

Liff, Phillip. “Cyberwar: A New ‘Absolute Weapon’? The Proliferation of Cyberwarfare Capabilities and Interstate War.” Journal of Strategic Studies, vol. 35, no. 3, 2012, pp. 401-428.

Maras, Marie-Helen. Cybersecurity: Key Issues. Burlington, MA: Jones and Bartlett, 2016.

Marks, Joseph. “U.N. body agrees to U.S. norms in cyberspace.” POLITICO, 9 July 2015, http://www.politico.com/story/2015/07/un-body-agrees-to-us-norms-in-cyberspace-119900. Accessed 12 December 2016.

Military and Paramilitary Activities in and Against Nicaragua (Nicar. V. U.S.), 1986 I.C.J. 14 (June 27).

North Atlantic Treaty art. 5, Apr. 4, 1949, 63 Stat. 2241, 34 U.N.T.S. 243.

Prosecutor v. Tadić Case No. IT-94-1-I, Trial Chamber Judgment, (Int’l Crim. Trib. For the Former Yugoslavia May 7, 997).

Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts, June 8, 1977, 1125 U.N.T.S. 3.

Schmitt, Michael. “‘Attack’ as a Term of Art in International Law: The Cyber Operations Context.” NATO CCD COE Publications, 2012.

Schmitt, Michael. “US Transparency Regarding International Law in Cyberspace.” Just Security, 15 November 2016. https://www.justsecurity.org/34465/transparency-international-law-cyberspace/#more-34465. Accessed 15 December 2016.

United Nations, Charter of the United Nations, 24 October 1945.

United Nations. General Assembly. Letter dated 9 January 2015 from the Permanent Representatives of China, Kazakhstan, the Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the Secretary-General, A/69/723 (13 January 2015).

United Nations. Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security. Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, A/70/174 (22 July 2015).

United Nations, International Law Commission, Draft articles on responsibility of States for internationally wrongful acts, A/56/10 (2001).