Cyber Symposium – The Private Sector View on Use of Force

Editor’s note: The following post highlights a subject addressed in the symposium entitled The Evolving Face of Cyber Conflict and International Law: A Futurespective presented by the Lieber Institute for Law and Warfare at the American University, Washington College of Law in June 2022. For a general introduction to this symposium, see Professor Sean Watts’ introductory post.

Even before Russia’s 2022 invasion of Ukraine, major Russian cyber operations were reportedly underway. Looking back, could these pre-invasion cyber operations be regarded as a use of force under international law? A survey of recent national statements on the applicability of international law in cyberspace sheds some light on how various States might draw the line as to which cyber operations reach the “use of force” threshold. Additionally, as cyber attacks increase in frequency and severity, understanding how these attacks play out in practice helps us anticipate challenges that States and the private sector would face when analyzing whether the “effects” of a cyber operation could constitute a use of force, and whether attempted attacks could meet this threshold.

An Effects-Based Approach

There is general recognition among certain States, including Australia, Brazil, Germany the UK and the US, that a cyber operation that results in destruction similar to a kinetic attack caused by conventional weapons would be treated similarly in terms of the application of international law. Recent expressions by States of their views on how international law applies to cyber operations have included, in some cases, considerations and hypothetical examples for the use of force threshold analysis.

A key element of the analysis is the effect of the cyber operation. For some cyber operations, the effects might not materialize immediately following the intrusion. These delays can be difficult to directly tie to the attack. Comparing the examples of a ransomware attack and a traditional missile attack on a hospital illustrates these challenges. In a ransomware attack disabling a hospital’s electronic systems, the attack could delay patient operations while the systems are recovered. As a result, patients could die. In practice, it will not be particularly clear if the delay in a patient’s operation led to that patient’s death, and more broadly, it may be difficult to track and assess deaths that are likely attributable to a specific cyber attack. By contrast, a missile attack on a hospital that kills patients would likely not raise these same questions when determining that it constitutes a use of force.

A subset of States have also indicated that a cyber operation could qualify as a use of force without physical effects – examples provided include attacks that interrupt essential services, compromise defense capabilities, or cause widespread and serious economic impacts. The U.S. DoD Law of War Manual notes that “cyber operations that cripple a military’s logistics systems, and thus its ability to conduct and sustain military operations, might also be considered a use of force under jus ad bellum.” (Sec. 16.3.1) For the same reasons, the effects analysis for these kinds of attacks would be potentially complicated, and likely require an analysis of the totality of the actor’s actions against the State alleging that the activity constituted use of force.

Further complicating the jus ad bellum effects-based analysis is the distinction between potential effects and actual effects. As organizations have bolstered their defenses, it is more challenging to anticipate what potential effects of a cyber operation would have been. While States may consider “intended effects” of cyber attacks, no country has described an actual thwarted cyber operation as a use of force, or a threat of use of force. Unlike an attempted kinetic attack where potential effects could be obvious, such as a missile that explodes in the air on its way to the target, more information may be needed about an attempted cyber operation. Understanding the potential effects of a cyber operation can also involve sophisticated technical analysis, which would allow States to understand the targeting infrastructure and the potential effects of the cyber attack. The analysis of effects may be conducted for example in terms of scale, severity, reversibility, and duration of the impact.

Private Sector’s Role in Jus ad Bellum Assessments

Finally, engagement with and understanding of the role of the private sector may be essential in applying the jus ad bellum framework to cyber operations. This is unique for cyber attacks and not always applicable for kinetic attacks. In the United States, the private sector owns the vast majority of critical infrastructure, including more than 80% of the country’s energy infrastructure. As a result, it may be important that governments consider and understand the impact of a cyber operation on privately-owned infrastructure to identify operations that would qualify as use of force. The ransomware attack on a major U.S. pipeline, during which the company proactively shut down its pipeline, affected fuel supply along the East Coast and highlights the challenges that governments may face if a State actor executed a similar attack. For example, the government would need to quickly assess if the operation was intentional, attribute the attack and analyze a range of other key questions based on information primarily in private sector hands.

The necessity of effective public-private partnerships compounds when evaluating aggregate effects of cyber operations under the jus ad bellum framework. In the lead up to Russia’s invasion of Ukraine, public reports indicated that at least 21 U.S. liquefied natural gas companies were targeted. Even though these attempted attacks ultimately had little impact, they provide an example of the need for information to connect the dots between attacks on private companies, and how that information may play a key role in providing legal assessment for the attacks within the jus ad bellum framework.

To date, no State has directly claimed that a cyber operation violated the rule prohibiting the use of force. Thus, although it is difficult to draw definitive legal lines on the effects analysis, understanding the effects and impact of cyber operations targeting critical infrastructure owned and operated by the private sector will play an important role in understanding how to interpret use of force thresholds in cyberspace. 

*The authors thank Sasha Keck for her research.

***

Veronica Glick is a partner in Mayer Brown’s Washington, DC office and a member of the firm’s National Security and Cybersecurity & Data Privacy practices.

David Simon is a partner in Mayer Brown’s Washington DC office and co-leader of Global Cyber Incident Response. David is a member of the Cybersecurity & Data Privacy practice, as well as a member of the firm’s National Security and Government Contracts practices. 

Photo credit: Unsplash