Terminological Precision and International Cyber Law
The recent spate of hostile cyber operations by States, non-State groups affiliated with States, and non-State groups operating on their own has resulted in a cacophony of pronouncements and commentary by political leaders, pundits, journalists, and legal experts. As illustrated by cyber operations such as SolarWinds and the Microsoft Exchange operations attributed to China, much of the discussion reveals a misunderstanding of how international law applies to cyber operations. This misunderstanding can often be traced to misuse of legal terms like attribution, countermeasures, below-the-threshold operations, due diligence, use of force, self-defense, cyberwar (armed conflict), and attack. Frequently, the terminological imprecision leads to confusion over the legal character of hostile cyber operations and the response options that international law allows targeted States.
In this post, I offer an abbreviated lexicon of the legal terms that are most frequently misused. It is far from a comprehensive discussion of these terms; Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (TM 2.0) offers deeper analysis of each, and readers are directed there for a full explanation of them. Instead, my objective here is merely to sensitize readers to the legal content of the terms and highlight certain unsettled legal issues regarding them.
There are three types of attribution—technical, political, and legal.
Technical attribution refers to using technology to identify a cyber operation’s originator. No evidential standard exists for technical attribution as a matter of law. Instead, the degree to which a cyber expert can attribute a hostile cyber operation to a particular individual or entity bears on both political and legal attribution.
Political attribution involves one or more States accusing another of conducting a hostile cyber operation or being behind an operation undertaken by non-State actors. There is no legal requirement for a particular quantum of technical and other evidence before a State engages in political attribution, for international law does not prohibit political attribution that is poorly supported or even knowingly wrong. Instead, States engaging in political attribution assess whether the perceived value of publicly attributing a cyber operation outweighs the cost of possibly misattributing that operation.
Legal attribution, by contrast, is one of two requirements for characterizing a hostile cyber operation as unlawful—in legal terms, an “internationally wrongful act.” The other is the breach of a primary rule of international law like the obligation to respect sovereignty or the prohibitions on intervention and the use of force (TM 2.0, rules 4, 66, and 68).
The customary international law of attribution has been reliably restated in the International Law Commission’s Articles on State Responsibility, which includes extensive commentary on each rule. Of note among the bases for attribution are Articles 4 and 8. The former provides that the acts of State organs, like intelligence agencies or the armed forces, are attributable to the State. The latter stipulates that non-State actors’ actions conducted pursuant to a State’s “instructions, or direction or control” are attributable to that State.
A cyber operation attributable to a State (“responsible State”) that breaches an international law rule opens the door to a number of remedies for the victim State (“injured States”). These include, as appropriate, cessation of the hostile operation, assurances and guarantees of non-repetition, and reparations, which may take the form of restitution, compensation, and satisfaction (ASR, arts 30-31, 35-37). Moreover, such operations sometimes open the door to countermeasures, an option described below (ASR, art 22, 49-53). If a hostile cyber operation either is not attributable to a State or does not breach an international law rule, the target State is generally limited to responding with acts of retorsion—unfriendly but lawful actions. The paradigmatic example is sanctions.
In certain limited circumstances, violation of international law does not require attribution of the hostile cyber operation to a State. The two key examples are law of armed conflict violations by a non-State actor that is a party to the conflict and international criminal law violations—including war crimes, crimes against humanity, and genocide—by individuals.
The term countermeasures is often used in a non-legal sense to refer to actions taken by armed forces to defeat hostile operations during both peacetime and armed conflict. However, the term has a particular meaning in the legal context. In international law, a countermeasure is an “act” (which includes both actions and omissions) that would be unlawful but for the fact that it is meant to compel another State to cease its unlawful conduct and/or secure reparations for harm suffered (ASR, art 49). Numerous other requirements, such as proportionality between the harm sustained and that caused by the countermeasure, exist (ASR, arts 51-53). Countermeasures are only available in response to cyber operations that constitute internationally wrongful acts; thus, they are unavailable as a response to non-State actor cyber operations that are not attributable to a State (but see due diligence below).
In the cyber context, countermeasures are often thought of as hack-backs. While some cyber countermeasures may involve targeting the cyber infrastructure used to conduct the hostile operation, there is no requirement that this is so (TM 2.0, rule 23 commentary). For instance, countermeasures may be directed against other cyberinfrastructure to convince the State engaging in an unlawful cyber operation to desist. An example would be conducting damaging cyber operations against private cyber infrastructure in response to a hostile cyber operation by the State’s armed forces. The intent would be to pressure that State to terminate the operation. Indeed, countermeasures need not even be in-kind. Non-cyber countermeasures are permissible in response to unlawful cyber operations and vice versa. For example, a State might close its airspace to another State’s aircraft even if access to that airspace is provided for by treaty, at least until the latter has terminated its unlawful cyber operations and made good any harm suffered by the former.
An unsettled issue is whether collective countermeasures are permissible. A collective countermeasure would involve one or more States assisting a State that is lawfully taking countermeasures. It may even involve the former conducting countermeasures on behalf of the latter. States are split on this issue. For example, in NATO, France rejects collective countermeasures, while Estonia embraces them. Professor Sean Watts and I have analyzed this issue in some depth and concluded that the better view is that they are permissible.
As between parties to an armed conflict, the concept of countermeasures seldom applies (minor exceptions exist). This is because during armed conflicts the parties are entitled to engage in activities, such as destroying military objectives and harming combatants, that would otherwise be unlawful. Therefore, there is no need for cyber operations against the enemy to qualify as countermeasures to avoid violating international law.
The term “due diligence” in the cyber context refers to the obligation of States to
1) take feasible measures to
2) put an end to
3) ongoing hostile cyber operations that are
4) conducted from or through cyber infrastructure located on their territory,
5) of which they know, and that are having
6) serious adverse consequences for a
7) right under international law, like sovereignty, of another State (TM 2.0, rule 6).
Although the obligation applies to cyber operations by both States and non-State actors, the duty is somewhat limited. For example, it does not require States to prevent the use of their territory for such operations or to monitor cyber operations from that territory. Moreover, there is no requirement to address every hostile cyber operation. Only those causing serious consequences in another State concerning a right that the State enjoys under international law need to be stopped. Finally, the obligation is only to engage in remedial measures that the State is reasonably capable of taking in the circumstances.
Due diligence is of particular importance when a hostile cyber operation cannot be attributed to a State. Although countermeasures are unavailable in response to cyber operations by non-State actors, if the State from which they are launched is in breach of its due diligence obligation, that internationally wrongful act opens the door to countermeasures. Those countermeasures can take the form of either cyber operations into the State’s territory directly against the non-State actors or cyber operations designed to pressure the State to comply with its duty to terminate the operations.
Most States that have spoken to the issue of due diligence accept its status as a rule of international law (recent examples include Germany and Japan). Israel takes the opposite position, while many other States have refrained from adopting a firm stance. There is widespread agreement, however, that whether or not due diligence is a legally binding obligation under international law, it is at least a so-called “voluntary, non-binding norm of responsible State behavior” (see discussion here). In other words, responsible members of the international community should act consistent with the rule.
During an international armed conflict, the law of neutrality will sometimes supplant the due diligence obligation. Under that long-standing body of law, a neutral State is responsible for putting an end to belligerent operations, including cyber operations, from its territory (Law of War Manual, sec 16.4.1). Should it fail to comply with this duty, and if the consequences of the cyber operations from neutral territory are significant, the aggrieved belligerent may engage in self-help, including forcible measures, to terminate those operations (TM 2.0, ch 20).
The terms “below” and “above-the-threshold” are the cause of significant confusion because those who use them often fail to indicate the threshold to which they are referring. For instance, the terms can refer to the threshold of lawfulness—as in whether a remotely conducted hostile cyber operation trips over the threshold for a breach of sovereignty (TM 2.0, rule 4). They can also indicate the thresholds at which a cyber operation qualifies as a use of force or entitles a State to use force in self-defense against a hostile cyber operation. And the terms sometimes denote the point at which cyber operations qualify as either an international or non-international armed conflict.
Each of these thresholds is discussed below. The critical point here, however, is that every discussion of a “threshold issue” must be accompanied by a reference to the threshold in question to ensure those involved in the discussion are considering the same point of law.
Article 2(4) of the UN Charter and customary law prohibit “uses of force” except when authorized by the UN Security Council under Chapter VII of the UN Charter, engaged in with the consent of the State in which it occurs, or qualifying as an act of self-defense (see below). It is well accepted that cyber operations causing significant physical damage or injury are uses of force (Law of War Manual, sec 16.3.1). Most States would also agree that cyber operations resulting in substantial permanent loss of cyber infrastructure’s functionality qualify as unlawful uses of force (TM 2.0, rules 68-69). It must be cautioned that a non-State actor’s hostile cyber operation at the use of force level does not violate the use of force prohibition absent attribution to a State. Instead, such operations are primarily violations of domestic law.
The unsettled issue in international law is, absent these circumstances, when do operations nevertheless qualify as a use of force? Very few States have addressed this issue head-on. The Tallinn Manual 2.0 experts concluded that until consensus develops among States as to the appropriate threshold for qualifying a cyber operation as a use of force, a number of factors will bear on the likelihood that States will characterize a particular cyber operation as a use of force. These include severity, immediacy, directness, invasiveness, measurability of effects, military character, State involvement, identity of the attacker, record of cyber operations by the attacker, and nature of the target (TM 2.0, rule 69 commentary). Except for severity, no one factor is determinative. Rather, these and others will be considered together on a case-by-case basis. Several States have adopted the approach, typically by referring to the “scale and effects” of the cyber operation in question (e.g., Australia, Finland, Germany, the Netherlands, and New Zealand). France has gone further by endorsing many of the factors identified by the Tallinn Manual 2.0 experts.
There are two key takeaways concerning uses of force in the cyber context. First, there is a growing consensus that uses of force need not be physically destructive or injurious, although the circumstances in which such an operation amounts to the use of force remain unsettled. Second, cyber uses of force do not necessarily open the door to responses based on self-defense. Only uses of force that qualify as “armed attacks” do so. The sole purpose of determining whether a cyber operation is a use of force is to determine whether the State to which the operation can be attributed has violated that prohibition.
The term self-defense is often misused to mean any defensive response to hostile cyber operations. However, in international law, self-defense is a concept limited to situations in which a State targeted by a use of force (see above) at the “armed attack” level may lawfully respond with its own forcible actions—whether cyber or non-cyber—despite the aforementioned prohibition on the use of force (TM 2.0, rule 71). The response must be both necessary and proportionate (TM 2.0, rule 72). Necessity denotes a need to respond at the use of force level, while proportionality refers to a degree of force that is no greater than required in the circumstances to respond to the armed attack.
The customary right of self-defense, which exists in treaty form in Article 51 of the UN Charter, includes collective defense. Thus, States facing an armed attack in cyberspace may look to other States to defend them or to assist in their defense, whether by cyber or non-cyber means. Article 51 provides the basis for Article 5 of NATO’s North Atlantic Treaty, which allows the Alliance to come to the defense of its members.
The critical question concerning the right of self-defense in the cyber context is when does a hostile cyber operation rise to the level of an “armed attack?” No consensus exists on this matter. Most States, however, accept the International Court of Justice’s characterization of armed attacks in its Paramilitary Activities judgment. There the Court described them as the “most grave forms of the use of force” (para 191). In other words, wherever the use of force line lies, the armed attack threshold that gives the target State the right of self-defense is above it. Thus, while there is no reason to exclude cyber operations that are not physically destructive or injurious from the ambit of armed attacks, fewer would qualify as armed attacks than is the case with characterization as a use of force.
Notably, the United States has never accepted the premise that an armed attack is a severe form of use of force (Law of War Manual, sec 184.108.40.206). For the United States, there is no difference between a use of force and an armed attack; all unlawful uses of force are armed attacks. Therefore, by its interpretation, the United States believes it may lawfully respond forcibly, whether by cyber or non-cyber means, to any unlawful cyber operation that amounts to a use of force (Law of War Manual, sec 220.127.116.11).
A key unsettled issue about the right of self-defense against cyber armed attacks, one that also exists in the non-cyber context, is whether the right of self-defense is available to a State facing cyber operations at the armed attack level by non-State actors who are not acting “by or on behalf” of a State, or with a State’s “substantial involvement” (Paramilitary Activities, para 195). The U.S. view is that the right of self-defense extends to cyber operations by both States and non-State actors; this is the better view as a matter of law. Relatedly, it is unsettled whether a State may respond into another State’s territory against non-State actors conducting cyber operations at the armed attack level. The U.S. position is that it may, based on the so-called “unwilling or unable” test (TM 2.0, rule 71 commentary). Again, this is a defensible approach.
“Cyberwar” is perhaps the most misused of the terms drawn from international law. In fact, most operations characterized as cyberwar or acts of war are not (see, e.g., here).
In international law, the term war has been supplanted by “armed conflict” since adoption of the 1949 Geneva Conventions. Armed conflicts may be either international or non-international. The significance of qualification as one of these types of armed conflicts is that once a situation is an armed conflict, the law of armed conflict applies. In other words, armed conflict is a choice of law concept.
A situation of international armed conflict exists when there are hostilities between States or between a State and a non-State group under a State’s “overall control.” In the cyber context, the critical issue is the point at which a cyber operation qualifies as an exchange of “hostilities” (TM 2.0, rule 82). A degree of uncertainty exists over this matter. Indeed, to date, no State has publicly claimed it is in an armed conflict solely based on being targeted by another State’s hostile cyber operation. The Tallinn Manual 2.0 international group of experts took a practical approach to the matter. It held that a cyber operation that qualifies as an “attack” under the law of armed conflict (see below) amounts to engaging in hostilities (TM 2.0, rule 82 commentary) and therefore generally initiates an international armed conflict.
The law applicable in an international armed conflict is more developed than that which applies during non-international armed conflicts. Nevertheless, there is a fair degree of congruency between the two bodies of law, especially with respect to the conduct of hostilities. A non-international armed conflict exists when a State and an organized armed group, or multiple organized armed groups, are engaged in protracted hostilities at a relatively high degree of intensity (Tadić, Appeals Chamber Decision, para 70). Because of the intensity required for qualification as a non-international armed conflict, it is unlikely, albeit not impossible, that a cyber exchange standing alone would have that status. Instead, the more likely scenario is one in which the law of armed conflict governs cyber operations because they are part of an ongoing kinetic non-international armed conflict, as in the case of cyber operations directed at ISIS (see here, here, and here).
The term “attack “is frequently used to refer to any hostile cyber operation. This creates confusion because in international law the term has a specific meaning in two situations. First, as discussed, an “armed attack” is the condition precedent to the exercise of self-defense. Most hostile cyber operations fall below the level of an armed attack and therefore do not open the door to a response involving the use of cyber or non-cyber force. To label them “attacks” risks misunderstanding the response options available to the victim State.
Second, in the law of armed conflict, “attacks” is a term of art that refers to “acts of violence against the adversary, whether in offense or in defense” (Additional Protocol I, art 49, generally considered reflective of customary law). This is significant because many of the law of armed conflict “conduct of hostilities” rules apply only to operations that are attacks as a matter of law (Law of War Manual, sec 16.5.1). For instance, it is prohibited to attack civilians or civilian objects, but these rules do not apply to cyber operations that fail to qualify as attacks. As a result, certain cyber operations directed at the civilian population are permissible, as with most psychological operations conducted by cyber means such as social media (Law of War Manual, sec 16.5.2). Other fundamental obligations that are limited to cyber “attacks” include the prohibition on indiscriminate attacks, the rule of proportionality, and the requirement to take precautions in attack to minimize harm to civilians and civilian objects.
Unfortunately, the question of whether cyber operations that do not cause physical damage or injury constitute “attacks” under IHL remains unsettled. Israel, for instance, is of the view that only those that have such consequences are attacks. France, by contrast,
considers that a cyberoperation is an attack where the targeted equipment or systems no longer provide the service for which they were implemented, whether temporarily or permanently, reversibly or not. If the effects are temporary and/or reversible, the attack is characterised where action by the adversary is necessary to restore the infrastructure or system (repair of equipment, replacement of a part, reinstallation of a network, etc.).
This issue has long been contentious (see discussion here). The point, however, is that whether a hostile cyber operation qualifies as an attack during an armed conflict has significant consequences for the civilian population; therefore, the term should be used with great care.
A lack of sensitivity to the legal meaning of the aforementioned terms has complicated both unofficial and official discourse over cyber matters, at times even creating the impression that cyber incidents allow responses that international law does not countenance. Clearly, terminological confusion can prove internationally destabilizing. States and others involved in cyber affairs should choose their words carefully.
That said, it would be naive to hope the international community will eventually employ these terms solely in their legal context. Instead, this post aims to sensitize readers to the challenge presented by terms that co-exist in the legal and non-legal environment. Hopefully, it will help alert members of the legal community to the necessity of being “bilingual” when providing advice about cyber matters. They should be especially sensitive to the fact that their non-law colleagues may be using the terms in ways that deviate substantially from their international law meaning.
Michael N. Schmitt is the G. Norman Lieber Distinguished Scholar at the United States Military Academy. He is also Professor of Public International Law at the University of Reading, Strauss Center Distinguished Scholar and Visiting Professor of Law at the University of Texas, and Charles H. Stockton Distinguished Scholar-in-Residence at the United States Naval War College.