Reflections on the DoD General Counsel’s Cyber Law Address
On Tuesday, the General Counsel of the Department of Defense, the Honorable Caroline Krass, addressed the annual United States Cyber Command Legal Conference. Her speech followed in the footsteps of Hon. Harold Koh’s 2010 presentation to the conference as Department of State Legal Adviser (my thoughts here) and Hon. Paul Ney’s 2020 conference speech while DoD General Counsel (my thoughts here). Importantly, the remarks built upon the U.S. contribution to the 2021 Official Compendium on how international law applies to cyber operations that was prepared as part of the UN’s Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (GGE) process. The General Counsel’s address is also of particular significance in light of post-GGE statements on the subject by “Five-Eyes” partners United Kingdom and Canada.
Titled “Implementing Integrated Deterrence in the Cyber Domain: The Role of Lawyers,” the address was noteworthy with regard to both the strategic vision it set forth and its explanation of two international legal issues and two domestic legal issues. In this post, I offer my reflections on the former two.
The Strategic Vision
“Integrated deterrence,” a central aspect of the 2022 National Security Strategy and National Defense Strategy, refers to “the seamless combination of capabilities to convince potential adversaries that the costs of their hostile activities outweigh their benefits” (NSS at 22). The strategies involve integration across domains, regions, the spectrum of conflict, and the U.S. Government, as well as operating closely with Allies and partners. Both offensive and defensive cyber operations can play a vital role in these forms of strategic and operational “integration.”
The notion that deterrence can be fostered through integration is hardly a strategic epiphany. However, the General Counsel’s discussion of the role of law in the strategy is significant. She observes that integrated deterrence can be enhanced through the management of escalation and astutely acknowledges that cyber operations pose a particular risk of “inadvertent escalation” because of a lack of shared understanding of the rules and how they apply. Indeed, as I explained in 2017, uncertainty as to the law risks generating escalation.
Consider the case of a State that conducts a cyber operation in the belief that the operation does not amount to an internationally wrongful act. The target State responds with a countermeasure based on its assessment that the first operation constituted an internationally wrongful act. Because the first State believed it had acted lawfully, it might now interpret the countermeasure as escalatory.
For the General Counsel, one remedy to this problematic dynamic is for lawyers to “clearly articulat[e] legal standards; work[ ] alongside policymakers to develop and implement norms of responsible behavior; and help[ ] to provide a vocabulary for States to communicate expectations and redlines, all with the objective of adding a measure of predictability to cyber-related interactions between State actors.
Such clarity not only impedes unintended escalation but also facilitates deterrence. After all, classic deterrence theory holds that the certainty of response is an important factor in deterring an adversary. As I observed in 2017,
Clarification of grey zone issues will … enhance deterrence in cyberspace. International law provides for set categories of responses to specified types of actions. Unfriendly but lawful cyber activities may be responded to by acts of retorsion. Internationally wrongful cyber operations, on the other hand, may permit “injured” States to take cyber or non-cyber countermeasures. Cyber operations amounting to an armed attack may be responded to with cyber or kinetic uses of force. Certitude that a cyber operation can risk consequences at a set level can deter the taking of that operation because the State concerned cannot act in the hope that the target State will hesitate to respond out of concern that its response might be viewed as unlawful.
The General Counsel pointed out two further contributions lawyers can make to integrated deterrence. First, she highlighted “campaigning,” which “occurs through day-to-day contact with our competitors.” Effective campaigning requires understanding when cyber operations might cross legal thresholds. Lawyers can play a central role in identifying those thresholds and explaining them to decision-makers and operators. She cites those for prohibited intervention and the use of force, but others include the threshold at which a remotely conducted cyber operation violates the sovereignty of the State into which it is conducted and the armed attack threshold, which triggers the right to use force in self-defense under Article 51 of the UN charter and customary international law. Although these latter thresholds are somewhat unsettled, the point she makes is on the mark. A State that does not understand where a threshold lies risks either responding when it is not entitled to do so under international law or foregoing an option legally available to it. In other words, effective campaigning necessitates understanding the rules of the game.
Second, General Counsel Krass highlights interoperability, which, as readers of Articles of War understand, is a key to effective joint and combined operations. As she notes, “it is important to have common understandings of the respective legal frameworks governing our actions in cyber.” Of course, there will always be issues, including core issues, on which even close friends disagree. For instance, the UK’s view that sovereignty is not a rule of international law applicable to cyber operations is unique among the NATO Allies, at least those that have addressed the issue head-on. Similarly, disagreement persists within the Alliance over the possibility of collective countermeasures. And the Allies are split on the existence of a due diligence rule.
Resolving these differences through agreed positions will not always be possible. Nevertheless, as the United Kingdom noted in its 2021 submission on international law to the UN GGE, “differing viewpoints on such issues should not prevent States from assessing whether particular situations amount to internationally wrongful acts and arriving at common conclusions on such matters.” To illustrate, what many (most) States would see as a sovereignty violation, the UK might label prohibited intervention. Or while some States believe there is a legal obligation of due diligence to take feasible measures to put an end to ongoing hostile cyber operations from one’s territory that have serious adverse consequences vis-à-vis another State’s international law right, all States agree that due diligence is at least a “voluntary, non-binding norm of responsible State behavior” (2021 GGE Report, ¶¶ 29-30). Thus, while, as the General Counsel notes, “[t]here is always room to create more commonality, and thus enhanced integrated deterrence,” continued legal differences need not necessarily stand in the way of integrating deterrent efforts.
General Counsel Krass concludes her discussion of the strategic environment with the sage observation that “[c]larity, predictability, and shared understandings of the law played the same important role for deterrence in the cyber domain as they do in other areas of state conduct, whether in competition or in conflict.” And she accurately notes that “[i]ncreased transparency enhances legitimacy and predictability by helping to develop and strengthen expectations surrounding State behavior, as well as possible responses, in the rapidly evolving cyber domain.”
These are tremendously significant statements coming from the Department of Defense’s General Counsel. There is a longstanding debate over whether ambiguity or clarity is preferable with respect to State positions on how international law applies in cyberspace. Reasonable arguments support both sides. For instance, there is no question that ambiguity allows for flexibility. But while I acknowledge the strategic and operational utility of ambiguity, I have long argued that its costs are outweighed by the benefits of further clarity, including those cited in the address. The position taken in the address is music to my ears.
Before turning from the strategic legal environment, I might add one gentle caveat to a point the General Counsel made regarding the identification of international cyber law. She stated,
[I]n contrast to many other areas of State activity, outsiders are rarely able to observe State cyber behavior directly. As a result, the cyber domain often affords minimal public visibility into the two preconditions for establishing customary international law: general and consistent State practice and opinio juris, which are statements affirming that a State is acting out of a sense of legal obligation. As a result, there is heightened value in States continuing the public conversation regarding how specific rules of international law – whether established in treaty or by custom – apply in cyberspace, and publicly identifying violations when they occur.
While broadly fair, the statement, similar to those made by other States like Israel, can be (mis)interpreted in a manner that overemphasizes State practice vis-à-vis cyber operations. Indeed, as the General Counsel notes, such practice often occurs behind the curtain. That fact should not unduly hobble the identification of applicable legal rules and how they operate in the cyber context. There are two reasons.
First, rules of international law generally can be presumed to apply to new technologies (although that presumption is rebuttable, for instance, because the application to the new technology runs counter to the object and purpose of the rule). Consider, for example, the obligatory reviews of new weapons against existing rules as required by customary law and, for Parties, Article 36 of Additional Protocol I to the Geneva Conventions (see also Nuclear Weapons advisory opinion).
Second, and as importantly, a distinction must be made between the crystallization of a new customary rule of international law, which requires State practice and opinio juris, and the interpretation of an existing rule, which does not. True, sufficient State practice and opinio juris may exist at a certain point to justify characterizing an interpretation as authoritative. But prior to that point, States enjoy a margin of appreciation in the interpretation of existing international law rules so long as they act in good faith, the interpretation is reasonable, and the consequence of that interpretation does not fly in the face of the original object and purpose of the rule.
Those who might have hoped for a wide-ranging U.S. survey of the international law environment as applied in cyberspace were likely disappointed by the General Counsel’s presentation. Of particular note, the use of cyber operations by both sides in the war between Russia and Ukraine has implicated the law governing the use of force (jus ad bellum), international humanitarian law, and neutrality law. Indeed, given U.S. Cyber Command’s role in the conflict (my thoughts here), interesting questions about the use of force threshold, whether the United States is a party to the conflict, and qualified neutrality have surfaced. Yet none of these issues was tackled.
Even outside the context of that conflict, unsettled issues of law went unaddressed. Notably, although the General Counsel identified U.S. First and Fourth Amendment issues, little effort was made to address the analogous international human rights issues of expression and privacy. Similarly, the United States has taken a position on due diligence but given the split among key Allies and partners as to whether it is a legal obligation (I believe it is), further explanation of the U.S. rejection of its obligatory character (shared by the Five-Eyes States and Israel) would have advanced the international discourse.
And the elephant in the room remains sovereignty. The General Counsel “affirmed that States conducting activities in cyberspace must take into account the sovereignty of other states, including outside the context of armed conflict.” That reads like confirmation that the United States has adopted the “sovereignty-as-a-rule” position that enjoys near universal support among States that have opined directly on the matter. This is especially so in light of its contribution to the aforementioned International Law Compendium, in which the United States observed that “State sovereignty, among other long-standing international legal principles, must be taken into account in the conduct of activities in cyberspace” and acknowledged, “in certain circumstances, one State’s non-consensual cyber operation in another State’s territory, even if it falls below the threshold of a use of force or nonintervention, could also violate international law” (begging the question, if not sovereignty, then what?). And the U.S. failure to, like the United Kingdom, reserve when NATO doctrine (AJP 3.20 at 20) acknowledged sovereignty’s status as a rule likewise seemed to support, at least implicitly, the sovereignty as a rule position.
But General Counsel Krass did not take the final step and unambiguously confirm that sovereignty is a rule (my view), which would have been uncomfortable for the United Kingdom given its dogged maintenance of the no sovereignty rule position during a 2022 Chatham House speech by the then U.K. Attorney General. As the number of States adopting the sovereignty as a rule position grows, the United States will eventually have to take an unambiguous position on the matter.
But disappointment as to the scope of the address is somewhat unfair, for it did take on two key international law issues that are presently the subject of much discussion in the practitioner and scholar communities – intervention and countermeasures.
There is broad agreement that the international law prohibition on intervention into the internal affairs of other States applies fully in the cyber context. The Tallinn Manual 2.0 experts and the States participating in the 2013, 2015, and 2021 GGEs, for instance, unanimously agreed that was so. And there seemed to be universal consensus that the two elements of intervention cited by the International Court of Justice in its Paramilitary Activities judgment – 1) coercion with respect to 2) matters States are permitted to decide freely (domaine réservé) – were accurate (¶ 205).
However, the United Kingdom’s rejection of sovereignty as a rule created a problem for that State, for if intervention is understood strictly, and there is no rule of sovereignty, hostile cyber operations into the United Kingdom might not be internationally wrongful. This would not only preclude naming and shaming States conducting such operations as violators of international law but also mean that there would be no right to take countermeasures, which require an “internationally wrongful act” as a condition precedent (Articles on State Responsibility, art. 49). Thus began a vibrant debate in which some participants have pushed to lower the threshold of coercion and expand the scope of the domaine réservé, seemingly to compensate for the absence of a rule of sovereignty.
An overly creative interpretation of law should never be used to counterbalance a separate mistake of law. Therefore, I am delighted at the positions taken in General Counsel Krass’s presentation concerning intervention. They are likely to appeal to most international lawyers, for they are quite conventional. Most significantly, and correctly in my view, she notes that “the scope of prohibited intervention is generally understood to be relatively narrow.”
The discussion of domaine réservé is sophisticated. The General Counsel begins by citing (without naming) the Permanent Court of International Justice’s 1923 Nationality Decrees advisory opinion. Although the PCIJ was not dealing directly with the issue of intervention, its discussion of domaine réservé can be applied analogously. In Nationality Decrees, the Court noted that there are …
certain matters which, though they may vary closely concern the interest of more than one state are not, in principle, regulated by international law. As regards such matters, each state is the sole judge. The question whether a certain matter is or is not solely within the jurisdiction of the state is an essentially relative question; It depends upon the development of international relations. (at 23-24)
Restated, the domaine réservé consists of areas of activity that have not been committed to international law and therefore remain the responsibility of the States concerned.
General Counsel Krass notes that some States have identified some of these areas. For example, Italy, New Zealand, and the United Kingdom have cited healthcare, and the United Kingdom has pointed to financial markets, energy supply, and (like the United States) elections. As to an area of activity that does not lie within the domaine réservé, she highlighted the paradigmatic one, activities subject to international human rights law. Thus, she notes,
excessive regulation of online content, including censorship and access restrictions, cannot be justified as a sovereign prerogative. And as the United States has reaffirmed, “any regulation by a State of matters within its territory, including use of and access to the Internet, must comply with that State’s applicable obligations under international human rights law.”
For example, the provision of internet access by one State to residents of another in response to the latter’s suppression of online expression would not amount to intervention (although it might qualify as another violation, such as non-innocent passage if conducted from a maritime platform in the latter’s territorial sea).
These are uncontroversial illustrations of the concept. But the important point the address confirms is that the United States understands that the scope of the domaine réservé is dynamic. As international law develops to govern an activity, its domaine réservé shrinks. This is important as States consider the possibility of new international treaty or customary law or their positions on how existing law applies in the cyber context.
More significant with respect to the vector of the prohibition on intervention is the coercion element. As General Counsel Krass notes, “the scope of coercion for purposes of prohibited intervention remains particularly undertheorized and underdeveloped.”
She begins her discussion by noting, as the ICJ did in the Paramilitary Activities judgment (¶ 205), that uses of force qualify as intervention. Therefore, if intervention is to have independent valence, operations below that level of severity sometimes may qualify as intervention. The question she poses is how severe must the action be to so qualify?
I am unconvinced that this is a pressing question. Of course, operations with de minimus effects are generally not coercive as a matter of fact and, therefore, not of law. Beyond that, its coercive effects matter much more than the severity of the operation. Severity influences coerciveness, but I do not see severity as a stand-alone issue bearing on the existence of a prohibited intervention.
The second question the General Counsel points to is particularly significant. There is consensus that an act designed to coerce another State into engaging in an action concerning its domaine réservé that it would otherwise not engage in or to desist from one it would otherwise take is coercive. Coercion can manifest in two ways. On the one hand, a State may deny another State a choice concerning its domaine réservé directly, as in the case of using cyber operations to manipulate election results. On the other, a coercive act can target the will of the State concerned, for instance by conducting cyber operations that cause losses in a sector of the economy, which in turn leads to a change in domestic economic policy that otherwise would not have taken place. In these latter cases, the difficulty is distinguishing a cyber operation that is merely influential from one that rises to the level of coercion, for coercion requires depriving another State of choice, and not just making a choice unappealing.
That challenge is not new. But in her address, the General Counsel perceptively zeroes in on a novel approach to coercion that is increasingly being discussed in international law circles. By it, “any act that deprives a state of freedom of control over elements of its domaine réservé would constitute prohibited intervention.” An example would be a State conducting ransomware attacks against the private healthcare sector to secure ransom payment instead of influencing a healthcare policy choice of the State into which the operation was mounted.
As General Counsel Krass noted, “[t]his broader approach may stem from a desire to hold states accountable for seriously disruptive conduct without requiring a target state to show that the conduct was meant to induce a particular act or omission.” It is for this very reason that the interpretation may appeal to advocates of the “sovereignty is not a rule” camp. After all, it widens the aperture of intervention, which can compensate for the absence of a sovereignty rule and, therefore, render the hostile cyber operation in question an internationally wrongful act.
The General Counsel hits the nail on the head when she observes that “focusing solely on deprivation of control, without more, could turn any disruptive cyber activity by a state that affects, even unwittingly, certain elements of another State’s activities into an unlawful intervention.” Indeed, such an approach would encompass operations that even sovereignty advocates might not characterize as unlawful. These might include (see Tallinn Manual 2.0, rule 4) remotely conducted cyber operations into a State’s territory that either do not generate effects at the requisite level, or that affect aspects of a State’s domaine réservé that do not qualify under international law as “inherently governmental functions” (e.g., medical care).
Finally, General Counsel Krass takes on the question of whether the act of intervention must succeed to be internationally wrongful. She, correctly in my view, observes that such a requirement “could have paradoxical results.” It would mean that a cyber operation against a State capable of defending itself would not violate the prohibition, whereas the same operation against a State that cannot do so would be internationally wrongful. As she notes, “[s]uch an outcome could impede the ability of States with more robust and resilient defenses to call out violations and, if desired and appropriate, to respond lawfully with countermeasures” (which are only available in the face of an internationally wrongful act).
The second international law issue addressed by General Counsel Krass is countermeasures. Under the law of State responsibility, a countermeasure is an action that would be unlawful but for the fact that it is designed to end another State’s internationally wrongful act and/or secure any reparations that may be due. Countermeasures are an essential aspect of a State’s response options in the face of hostile cyber operations falling below the “armed attack” threshold that triggers the right of self-defense (UN Charter, art. 51).
The law governing countermeasures has been outlined in the International Law Commission’s restatement of the law of State responsibility, the Articles on Responsibility of States for Internationally Wrongful Acts (ASR). The points made by the General Counsel adhere closely to the articles dealing with countermeasures (arts. 22, 49-54), although several points merit mention.
First, General Counsel Krass returns to the issue of whether unsuccessful intervention may constitute an internationally wrongful act because such an act is a condition precedent to engaging in a countermeasure. However, it is well-accepted that countermeasures are limited to imminent or ongoing operations. If a cyber operation has failed, there are only two bases for engaging in a countermeasure. The first is when the unsuccessful cyber operation is but one in a series of operations (a campaign), and a countermeasure is necessary to prevent follow-on operations. A countermeasure would also be available to secure any reparations for harm that may have been caused during the failed operation. In this regard, it is noteworthy that the right to employ countermeasures to secure reparations is not mentioned in the General Counsel’s address (ASR, art. 49(1)).
Second, Article 51 of the ASR provides that “[c]ountermeasures must be commensurate with the injury suffered, taking into account the gravity of the internationally wrongful act and the rights in question.” This rule of proportionality considers quantitative (degree of harm) and qualitative (wrongful act and right involved) factors. However, the General Counsel goes further by noting that proportionality must also be assessed “in relation to what is necessary to induce the breaching state to cease its wrongful conduct.”
This criterion is similar to the proportionality requirement in the law of self-defense. Although it does not appear in the Articles of State Responsibility, the United States has long taken the position that it nevertheless applies to countermeasures. For instance, in 1977 comments on a draft of the ASR, the State Department observed, “[p]roportionality means principally that countermeasures should be tailored to induce the wrongdoer to meet its obligations under international law, and that steps taken towards that end should not escalate but rather serve to resolve the dispute.” It reaffirmed this view in 2001.
And General Counsel Krass reiterates a further point that the United States has long made. Under the ASR, an “injured State” must call on the “responsible State” (the one engaging in the internationally wrongful act) to cease its unlawful conduct except when “urgent countermeasures” are necessary (art. 52). This is a reasonable requirement because if the objective of countermeasures is to return the situation to one of lawfulness, placing the responsible State on notice of the risk of countermeasures may alone resolve the situation.
However, as the General Counsel cautions, the requirement can sometimes be problematic in the cyber context, for prior notification might allow the target of the countermeasure to take measures that would effectively deprive it of its effectiveness. The Tallinn Manual 2.0 experts and all States that have spoken directly about this issue concur that notice need not be provided in these cases.
Finally, General Counsel Krass asks, “can the doctrine of countermeasures have any applicability to assist the state that has been the victim of a cyber operation that has been completed and is irreversible? Suppose the internationally wrongful act in which a state is engaged involves ‘hack and leak’ activities.”
Countermeasures would only be a response option in this situation if, as discussed above, the hostile cyber operation is but one facet of a cyber campaign being directed against the injured State. The General Counsel recognizes that the expectation of further internationally wrongful acts is relevant, correctly so in my view. However, except when reparations may be due, a response to a hostile cyber operation that is over and will not be repeated is mere retaliation. Accordingly, it cannot qualify as a countermeasure and therefore does not enjoy the status of a circumstance precluding wrongfulness under the law of State responsibility.
Interestingly, the address did not deal with a key issue in the law of countermeasures. For some time, there has been an ongoing debate over whether countermeasures may be conducted collectively in the same way that collective self-defense is permissible in international law. This is a critical issue for States that lack the capability to respond effectively to hostile cyber operations by other States and would therefore need to look to Allies and partners either to assist them or conduct a response on their behalf. The issue is of particular significance in the NATO space.
Sean Watts and I have examined this issue in a 2021 article. We concluded that “[w]hile both … interpretations of the rule are reasonable, some of the common justifications underlying the argument against collective countermeasures … do not hold up to close scrutiny.” In light of the tendency of some U.S. adversaries to engage in cyber operations against Allies and partners who may lack response capability, it is unfortunate that the opportunity to clarify the U.S. position was not seized.
In a 2015 International Law Studies article, Sean Watts and I argued that “[g]reater sensitivity on the part of States to the centrality of expressing opinio juris to law formation and interpretation appears merited.” General Counsel Krass and her team are, therefore, to be applauded for setting forth the Department of Defense’s strategic approach to cyber law clarification and discussing key aspects of international and domestic law governing cyber operations by and against the United States. Her address is the latest contribution to a growing, and laudable, willingness on the part of States to provide opinio juris on how law applies in cyberspace. It is a trend that will enable States to better manage the development of cyber norms, as they should, for States occupy a place of prominence in international law formulation and interpretation.
Michael N. Schmitt is the G. Norman Lieber Distinguished Scholar at the United States Military Academy at West Point. He is also Professor of Public International Law at the University of Reading and Professor Emeritus and Charles H. Stockton Distinguished Scholar-in-Residence at the United States Naval War College.
Photo credit: U.S. Cyber Command