Noteworthy Releases of International Cyber Law Positions—PART I: NATO

Although efforts such as the  Tallinn Manual 2.0 project have contributed greatly to understanding how international law rules apply in the cyber context, much work remains to be done. Indeed, a significant grey zone in the international law of cyberspace exists, one that only States can authoritatively clarify through their cyber practices and the taking of public positions on the applicable law.

Some have begun to take up that challenge by expressing their legal views, with notable examples being Australia, France (see here, here, and here), the Netherlands, the United Kingdom, and the United States. The NATO Allies have recently done so as well by means of Allied Joint Publication-3.20 (AJP-3.20), Allied Joint Doctrine for Cyberspace Operations.

Such doctrine sets forth the “[f]undamental principles by which the military forces guide their actions in support of objectives.” In addition to AJP-3.20, other key NATO doctrine that shapes Alliance cyber operations includes AJP-3, Allied Joint Doctrine for the Conduct of Operations, and AJP-3.9, Allied Joint Doctrine for Joint Targeting. However, it is in AJP-3.20 that the Allies have agreed upon certain key legal principles and rules governing cyber operations.

The fact that AJP-3.20 has received little attention in international law circles belies its significance, for the document had to be approved by all NATO Members. Accordingly, and with one exception discussed below, the legal points made therein represent the consensus positions of 30 nations: Albania, Belgium, Bulgaria, Canada, Croatia, the Czech Republic, Denmark, Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxembourg, Montenegro, the Netherlands, North Macedonia, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United States.

NATO has increasingly focused its attention on both the threat posed by hostile cyber operations and the opportunities cyber capabilities offer NATO forces on the battlefield. The Alliance first highlighted the cyber threat at its 2002 Prague Summit. In 2008, NATO adopted the organization’s initial cyber defense policy, while two years later at the Lisbon Summit cyber defense was included in NATO’s Strategic Concept. At the Wales Summit in 2014, the Alliance acknowledged that a cyber-attack could justify invocation of the North Atlantic Treaty’s collective defense provision (Article 5). Cyber was recognized as a domain of military operations in 2016 at the Warsaw Summit, a position confirmed at the 2018 Brussels Summit. At Brussels, the Allies also agreed to standup a Cyberspace Operations Centre to integrate cyber operations into NATO planning and operations. The center will be fully operational in 2023.

NATO’s cyber posture is purely defensive. However, should it need to mount “offensive cyberspace operations” (OCO—“actions in or through cyberspace that project power to create effects which achieve military objectives”) during “Alliance operations and missions” (AOM), the capabilities would be provided by individual States through the “Sovereign Cyber Effects Provided Voluntarily by Allies” (SCEPVA) mechanism—and only in the context of an operation or mission approved by the North Atlantic Council (NAC). Since States deliver the capabilities voluntarily, they may impose their own limitations on the operations.

AJP-3.20 requires NATO cyber operations to comply with “international law, including the United Nations (UN) Charter, Law of Armed Conflict (LOAC) and human rights law, as applicable.” In doing so, it confirms a position NATO took in its Wales and Warsaw Summit Declarations and the 2016 Cyber Defense Pledge, among others instances. Within this legal framework, North Atlantic Council-approved operation plans and annexes, including rules of engagement (ROE), and standing NATO authority and policy, will further shape AOM cyber operations. The greatest determinant from a normative perspective, however, is whether the operations reach three thresholds—use of force, armed attack, and armed conflict—that determine the applicable law.

Below the Threshold Cyber Operations

For NATO, “armed attack” is the key threshold because that is the point at which Article 5 of the North Atlantic Treaty contemplates an Alliance collective response, the Alliance’s core raison d’être, pursuant to Article 51 of the UN Charter. NATO’s Strategic Concept, however, also envisages operations below the Article 5 threshold for crisis management and cooperative security purposes. In this regard, Secretary-General Jens Stoltenberg has emphasized that NATO must be prepared to respond to “serious cyber-attacks even if they don’t cross the Article 5 threshold.” This is a particularly prescient observation in light of the fact that cyber operations that clearly do not reach that level could prove highly destabilizing for the Alliance.

AJP-3.20 contains two footnotes that are legally relevant to cyber operations lying below the Article 5 threshold. The first involves an ongoing debate as to whether those operations that are remotely conducted from outside a State’s territory ever violate its sovereignty. The prevailing view is that, depending on the effects caused, they can. AJP-3.20 endorses this position in a footnote that provides, “Depending on the context, such COs [cyberspace operations] may nevertheless constitute a violation of international law as a breach of sovereignty or other internationally wrongful act.”

Damaging or injurious operations, or those that cause cyber infrastructure to no longer function, are widely considered to be sovereignty violations. Whether other remotely conducted cyber operations, such as those that temporarily interfere with functionality or merely cause it to operate in an unintended manner, violate sovereignty remains unsettled. To date, the most robust view in this regard is that expressed by France’s Ministry of the Armies: “Any cyberattack against French digital systems or any effects produced on French territory by digital means by a State organ, a person or an entity exercising elements of governmental authority or by a person or persons acting on the instructions of or under the direction or control of a State constitutes a breach of sovereignty.”

Other NATO members, such as the Netherlands and the Czech Republic, and numerous Partnership for Peace States—like Switzerland and Austria—have likewise expressed the view that cyber operations can violate sovereignty. The United States, while not taking a firm stance on the issue, appears to have left open the door to that possibility.

By contrast, in 2018 the United Kingdom took the position that sovereignty is not a rule of international law. Therefore, it issued a reservation to the AJP-3.20 text:

The AJP refers to cyberspace operations as being, dependent on the context, potential violations of international law as a breach of sovereignty. Whilst sovereignty is fundamental to the international rules-based system, the UK government does not consider that the current state of international law allows for a specific rule or additional prohibition for cyberspace operations beyond that of a prohibited intervention.

Operationally, this is a problematic position because the prohibition on intervention requires that the offending cyber operation involve (1) an area of activity left by international law to States (domaine réservé) and (2) that it be coercive (see the International Court of Justice’s Nicaragua judgment). As these are demanding criteria, many hostile cyber operations against NATO States will not run afoul of international law by the British approach. It merits emphasis that the AJP-3.20 footnote is on sound ground legally and that no other State (NATO member or not) has openly joined the United Kingdom in adopting its stance.

A second footnote highlights an issue of particular importance to an institution shouldering crisis management and cooperative security duties. Under international law, States are entitled to take proportionate “countermeasures” in response to another State’s unlawful cyber operation. A countermeasure is an act or omission that would be unlawful (for example, because it would violate sovereignty) but for the fact that it is designed to put an end to the other State’s unlawful activity or secure any reparations that might be due. In some cases, “hack backs” qualify as lawful countermeasures.

The footnote provides, “It is an unsettled area of the law whether international organisations or other states may conduct countermeasures on behalf of an injured state for unlawful acts that occur below the threshold of an armed attack.” In 2019 the President of Estonia took the position that collective countermeasures are lawful: “Among other options for collective response, Estonia is furthering the position that states which are not directly injured may apply countermeasures to support the state directly affected by the malicious cyber operation.” The same year, France responded that they are not.

It remains to be seen how the Alliance will handle this critical issue since its members regularly face hostile cyber operations not triggering collective defense under Article 5. It must be cautioned that despite the controversy, States may assist other States in remediating the effects of a hostile cyber operation. Indeed, NATO maintains cyber Rapid Reaction Teams to assist its members upon request.

Use of Force and Self-Defense

Article 2(4) of the UN Charter prohibits the threat or “use of force” by one State against another. When a use of force reaches the level of an “armed attack” under Article 51 of that instrument, the victim State may respond with necessary and proportionate force individually or collectively without breaching Article 2(4). This is the legal basis for the Article 5 of the North Atlantic Treaty. Despite some confusion caused by Russia, China, and a number of other countries during a UN Group of Governmental Experts (GGE) meeting in 2016-17, NATO’s position that this law applies in the cyber context is legally irrefutable.

The determinative question in applying the rules is when do cyber operations cross the “use of force” and “self-defense” thresholds, especially when the operations in question are neither physically destructive nor injurious? AJP-3.20 adopts a “scale and effects” approach that was first suggested by the Tallinn Manual experts. Drawing on the ICJ’s discussion of self-defense in the Nicaragua case, they recommended using scale and effects as the test for both thresholds. They also identified factors that States were likely to factor into that assessment, most of which also found their way into AJP-3.20.

According to the document,

[I]f COs cause effects that, if caused by traditional physical means, would be regarded as a use of force under Article 2(4) of the UN Charter or an armed attack under jus ad bellum, then such COs could similarly be regarded as a use of force or armed attack.

Criteria that could be considered in making this assessment include the scale and effects of the attack, which might take into account such factors as interference with critical infrastructure or functionality, severity and reversibility of effects, the immediacy of consequences, the directness between act and consequences, and the invasiveness of effects. COs that generally would not constitute a use of force or armed attack might involve effects that create only temporary disruptions or denials of service, or those intended merely for disseminating or gathering information. However, if done to enable or facilitate a wider, concurrent (or an imminent threat of) conventional attack, COs which independently would not ordinarily constitute a use of force, like a temporary denial of service, could be considered an armed attack. As a result, the legality of the response depends entirely on the context and the effects of the respective COs.

Some States, such as France, the Netherlands, and Australia, had already adopted this scale and effects approach. In light of AJP-3.20, all NATO States now appear to have done so. Nevertheless, given the malleability of the analysis, the document cautions that it is “the responsibility of the state that is the object of the armed attack, as well as that of those states coming to its collective defence, to perform an independent assessment. Any collective defence response by NATO will be subject to the political decisions of the NAC.”

Interestingly, AJP-3.20 does not address the contentious issues of whether a cyber armed attack by non-State actors that is not attributable to a State is encompassed in the notion of self-defense. Nor does it take on the issue of whether defensive operations at the use of force level are permissible into a State that is “unwilling or unable” to put an end to cyber operations amounting to an armed attack from its territory. Avoiding these issues was well-advised, for they would likely have precluded the necessary consensus on AJP-3.20 among the Allies.

Law of Armed Conflict

Should NATO find itself involved in an armed conflict, its cyber operations would be initiated through its joint targeting process for inclusion on the Joint Prioritized Target List (JPTL). In particular, targets would be subjected to a validation process that ensures compliance with the NATO-recognized “LOAC principles of military necessity, humanity, proportionality and distinction.” These are the same principles recognized in the 2015 GGE Report that was endorsed by the UN General Assembly. Target validation also helps ensure compliance with the relevant North Atlantic Council-approved operation plan, targeting annex, and Rules of Engagement, as well as the commander’s objectives, guidance, intent, and desired effects.

Beyond these generalities AJP-3.20 takes on the dual-use issue, noting “that, especially in cyberspace, some objects or entities may have both military and civilian uses,” and citing airports, electrical systems or network infrastructure as examples. It emphasizes the difficulty of determining whether the object is a valid military objective in the cyber context, although as a matter of law all dual-use objects are military objectives so long as they are currently being (or will be) used for military ends and attacking them “offers a definite military advantage.”

AJP-3.20 emphasizes that cyber-attacks may not be indiscriminate and that they must comply with the rule of proportionality. It notes in that regard that “assessing incidental injury or death to collateral objects can be more difficult in the context of CO as compared to more traditional physical means or methods.” Essentially, the AJP-3.20 instructs NATO forces to comply with all current LOAC rules, allowing for no exception on the basis of the uniqueness of cyber operations.

Wisely, the AJP avoids two unsettled LOAC issues, most likely because they might have blocked the requisite consensus. First, while all States agree that a destructive or injurious cyber operation qualifies as an “attack”—thereby rendering it subject to the LOAC rules governing attacks—no consensus exists as to when cyber operations lacking these effects are nevertheless attacks that must comply with LOAC rules. Second, there is an ongoing debate as to whether data is an “object,” such that a cyber operation that destroys, damages, or alters civilian data is an unlawful attack on a civilian object. That issue is likewise absent from the document.

Finally, AJP-3.20 highlights neutrality, which raises such questions as whether the transmission of cyber-attacks through a neutral country is lawful. In response, the document provides, “It will be for individual states to interpret and apply the law of neutrality in delivery of SCEPVA in support of AOM.”

Concluding Thoughts

The treatment of international law by AJP-3.20 is less than comprehensive. However, given the requirement of consensus among the 30 NATO members, it is an impressive accomplishment. In that it represents the agreement (with one exception on a single issue) of 30 nations, a number of which are very active in cyberspace, it is a major contribution by States to the interpretation of international law rules in the cyber context.

***

Michael N. Schmitt is the G. Norman Lieber Distinguished Scholar at the United States Military Academy. He is also Professor of Public International Law at the University of Reading, Strauss Center Distinguished Scholar and Visiting Professor of Law at the University of Texas, and Charles H. Stockton Distinguished Scholar-in-Residence at the United States Naval War College.