Ukraine Symposium – U.S. Offensive Cyber Operations in Support of Ukraine

Last Wednesday, General Paul Nakasone, Commander of United States Cyber Command and Director of the National Security Agency, opened the NATO Cooperative Cyber Defense Centre of Excellence’s annual CyCon Conference. In his address, General Nakasone discussed the “defend forward” and “persistent engagement” operational concepts set forth, inter alia, in Cyber Command’s 2018 vision statement, Achieve and Maintain Cyberspace Superiority (see my thoughts on the concepts here and here).

While General Nakasone’s address generated a great deal of discussion about the U.S. strategy’s lawfulness among those of us attending the conference (the answer depends on the nature of the operations), that issue had been on the table for a period measured in years. However, he also gave an interview to Sky News that quickly refocused attention on the war in Ukraine when it was published the following day. In it, General Nakasone reportedly acknowledged that “he is concerned ‘every single day’ about the risk of a Russian cyber attack targeting the US and said that … hunt forward activities were an effective way of protecting both America as well as allies.” To the extent “hunting” refers to intelligence collection, such operations are lawful, for espionage does not violate international law (for sources and discussion see Tallinn Manual 2.0, Rule 32 commentary).

But General Nakasone is also reported to have admitted that the United States had been mounting cyber operations in support of Ukraine: “We’ve conducted a series of operations across the full spectrum; offensive, defensive, [and] information operations.” Although he did not describe them, the General stated that the operations were lawful and conducted with the approval of the appropriate civilian authorities. The comments immediately drew the attention of the cyber and international law communities.

At the White House, Press Secretary Karine Jean-Pierre was asked about the comments, in particular, whether offensive U.S. cyber operations were inconsistent with the administration’s decision not to engage Russian forces directly and signaled a policy change. She responded,

[W]e just don’t see it as such. We have talked about this before. We’ve had our cyber experts, here at the podium, lay out what our plan is. That has not changed. So, the answer is just simply: No.

Offensive Cyberspace Operations

Without knowing the operations to which General Nakasone was referring, it is impossible to assess them fully. However, his reference to “offensive” operations is telling, for it is a term of art in U.S. military doctrine. Joint Publication 3-12, Cyberspace Operations (2018 (JP 3-12)), states that U.S. cyber forces have three missions.

1) Department of Defense information network operations (DODIN). Operations to secure, configure, operate, extend, maintain, and sustain Department of Defense cyberspace to create and preserve the confidentiality, availability, and integrity of the Department of Defense information network.

2) Defensive cyberspace operations (DCO). Missions to preserve the ability to utilize blue cyberspace capabilities and protect data, networks, cyberspace-enabled devices, and other designated systems by defeating ongoing or imminent malicious cyberspace activity.

3) Offensive cyberspace operations (OCO). Missions intended to project power in and through cyberspace.

So, we know what offensive cyber operations are not (DODIN and DCO). And elsewhere, the publication also notes that OCO “project power in and through foreign cyberspace through actions taken in support of CCDR or national objectives” (emphasis added). CCDR refers to Combatant Commanders like the Commander of European Command, who has responsibility for the area.

JP 3-12 goes on to explain,

OCO may exclusively target adversary cyberspace functions or create first-order effects in cyberspace to initiate carefully controlled cascading effects into the physical domains to affect weapon systems, C2 processes, logistics nodes, high-value targets, etc. All CO missions conducted outside of blue cyberspace with a commander’s intent other than to defend blue cyberspace from an ongoing or imminent cyberspace threat are OCO missions. Like DCO-RA missions, some OCO missions may include actions that rise to the level of use of force, with physical damage or destruction of enemy systems. Specific effects created depend on the broader operational context, such as the existence or imminence of open hostilities and national policy considerations. OCO missions require a properly coordinated military order and careful consideration of scope, ROE, and measurable objectives.

Assuming solely for the sake of analysis that General Nakasone was using the term “offensive” in a manner consistent with U.S. doctrine, and not to refer colloquially to operations outside U.S. territory, the JP 3-12 explanations allow for a degree of legal analysis. I want to emphasize, however, that the analysis is limited to the types of operations described above as offensive cyberspace operations and that I do not know the kinds of operations in which U.S. Cyber Command is actually engaging.

Neutrality Violation?

 This Articles of War symposium has repeatedly addressed the issue of neutrality (see here, here, and here).  Those posts demonstrate that the legal community is split between supporters of a strict interpretation of neutrality law (as reflected in Convention (V) Respecting the Rights and Duties of Neutral Powers in Case of War on Land, Convention (XIII) Concerning the Rights and Duties of Neutral Powers in Naval War, and customary law) and others, like myself, who have embraced a “qualified neutrality” approach.

By the former, neutral States may not support a belligerent to the detriment of its adversary, for as Yoram Dinstein has observed, “[t]he two pillars of the laws of neutrality are non-participation and non-discrimination.” Offensive cyber operations against Russian forces would undoubtedly qualify as a breach of the prohibition on participation.

Yet, it is indisputable that Ukraine enjoys a right of self-defense under Article 51 of the UN Charter and customary international law (see my analysis here). And assuming, for the sake of analysis, that Ukraine requested the U.S. cyber operations and that they fall within the four corners of that request, the U.S. operations qualify as collective self-defense measures. They, therefore, benefit from the fact that acting in self-defense, including collectively, is a “circumstance precluding wrongfulness” under the law of State responsibility (Articles on State Responsibility, Rule 21). This being so, the operations do not violate the law of neutrality by the strict approach to neutrality law.

The other approach, qualified neutrality, is supported by the United States. As noted in the Department of Defense’s Law of War Manual, “[t]he Charter of the United Nations and decisions by the U.N. Security Council may, in certain circumstances, qualify rights and obligations under the law of neutrality” (§ 15.2.3.2). It offers the example of acting in support of a belligerent pursuant to a UN Security Council decision under UN Charter Chapter VII or a collective self-defense arrangement.

In my view, the notion of qualified neutrality only operates when it is crystal clear that the State being assisted is the victim of unlawful aggression by its adversary. Otherwise, qualified neutrality would be an exception that would often swallow the rule. But despite this limited application of the approach, recall that of the 193 UN members, 141 States voted for a General Assembly resolution condemning the Russian actions and demanding immediate and unconditional withdrawal. Thirty-five abstained (likely for political, not legal reasons), while only five (Belarus, North Korea, Eritrea, Russia, and Syria) voted against the resolution. More to the point, the Russian justification for its actions is legally nonsensical.

Therefore, by the qualified neutrality approach, States may assist Ukraine, including by cyber means without violating the law of neutrality. At a certain point, the nature of that support may make the supporting State a co-belligerent, a topic addressed below. Should that occur, the law of neutrality no longer applies between the State providing the support and the adversary of the supported State because the supporting State has become a party to the conflict. Whether the U.S. offensive cyber operations have reached that point is, as will be explained, difficult to determine.

Wrongful Use of Force?

For the same reason, even destructive or injurious U.S. cyber operations would not violate the use of force prohibition in Article 2(4) of the UN Charter and customary international law. Self- and collective defense are exceptions to the use of force prohibition that are expressly provided for in Article 51 and acknowledged universally as customary in character. Accordingly, even if the U.S. cyber operations rise to the level of a use of force, a complicated issue, they are lawful (for discussion of cyber uses of force, see Tallinn Manual 2.0, Rule 69 commentary).

I would note that the United States has not claimed to be acting in collective self-defense. This may be for policy reasons beyond the scope of this post or because the United States does not believe it needs to rely on self-defense as a justification for its actions yet. Still, the failure to do so does not preclude subsequent assertions that its actions were justifiable on that basis.

Armed Conflict?

Once a State becomes a party to an international armed conflict (IAC), the laws of neutrality no longer apply. They are supplanted by those of international humanitarian law (IHL). Regarding the U.S. cyber operations in question, this could occur in two ways.

First, the operations themselves might be at the level of “armed force,” a legal threshold that triggers an IAC. As understood in this context, armed force includes certain cyber operations standing alone, that is, that are not a component of kinetic operations (for sources and discussion, see Tallinn Manual 2.0, Rule 82 commentary). Cyber operations that cause physical damage or injury cross the threshold.

But it is unclear where the threshold lies for operations not generating those effects. As noted by the International Committee of the Red Cross in its 2020 Commentary to Article 2 of the 1949 Third Geneva Convention,

Without physically destroying or damaging military or civilian infrastructure, cyber attacks might also disrupt their operation. Could these still be considered as a resort to armed force under Article 2(1)? Would the low intensity approach still be appropriate for hostile actions carried out only through cyber operations? Would the threshold of harm tolerated by States affected by cyber operations be different depending on the military or civilian nature of the ‘targeted’ object? For the time being, these questions are left open and the law is uncertain on the subject. Therefore, it remains to be seen if and under what conditions States will treat such cyber operations as armed force amounting to armed conflict under humanitarian law in future operations.

The challenge for our purposes is that, as is clear from the JP 3-12 extract above, the term “offensive cyberspace operations” can refer to those below the level of a use of force, like one that merely disrupts Russian command and control or logistics. Indeed, a cyber operation might be “offensive” for U.S. doctrinal purposes but not “armed force” for IHL purposes.

Thus, without knowing more about the operations to which General Nakasone was referring, and in light of the uncertainty as to the threshold at which cyber operations initiate an IAC, no definitive conclusion regarding whether the U.S. operations standing alone initiated an armed conflict between the United States and Russia is possible (assuming one is not already underway as a matter of law, see here).

Second, U.S. offensive cyber operations could make the United States a party to the IAC between Russia and Ukraine based on so-called “co-belligerency,” a subject I addressed in a prior post in this series. That post was prompted by reports that the United States shared intelligence that enabled Ukrainian forces to engage in lethal and destructive targeting, including against Russian generals and the cruiser Moskva.

In my view, a State supporting a belligerent sometimes may become a party to the conflict even though the former has not engaged in operations that themselves reach the IAC threshold. I have suggested looking to the following factors in making the assessment.

• • Any intent on the part of the supporting State to contribute to specific “conduct of hostilities” [combat] operations by the supported State or frustrate those of the State’s adversary;
  • The extent to which the support benefits specific conduct of hostilities operations of the supported State or hinders those by its adversary;
  • The degree to which the support is integral to specific conduct of hostilities operations of the supported State or defensive action against its enemy; and
  • The degree of immediacy between the provision of intelligence and its use.

In other words, the question is whether the supporting State harbored a belligerent intent to directly and integrally support operations that would have triggered an IAC if one had not already broken out? If so, the supporting and supported States are engaged in “collective conduct of hostilities,” and both are now parties to the conflict.

This is an easier case to make in the context of the war in Ukraine because there is no question that Ukraine is mounting the type of combat operations that would have done so. But again, it is not possible to render any definitive conclusions on collective conduct of hostilities without knowing the type of “offensive” operations being conducted by Cyber Command or whether they were in direct support of Ukrainian operations of the requisite nature.

Conclusion

General Nakasone’s comments on U.S. offensive cyber operations in support of Ukraine may have sparked controversy in the cyber and international law communities. But several points are essential to bear in mind when considering them.

First, the facts necessary to draw most legal conclusions remain unavailable to those without the required security clearances. Accordingly, commentators would be well-served to be prudent in rendering opinions about the legal effects of the U.S. operations to which General Nakasone referred.

Second, the operations did not violate the law of neutrality. This is because they either qualified as lawful collective self-defense, a circumstance precluding wrongfulness, or because they are consistent with the notion of qualified neutrality. As to the former basis, the fact that the United States has not indicated it is operating in self-defense is not an obstacle to this conclusion, at least not as a matter of law.

Third, even if the operations were themselves lethal or destructive (and we have no evidence one way or the other on this matter), they were not unlawful because, so long as Ukraine requested them, the operations can qualify as actions taken in collective self-defense.

Finally, absent further information on the U.S. offensive cyber operations supporting Ukraine, no definitive conclusion can be drawn on whether they may have triggered an international armed conflict between the United States and Russia, if one was not already underway. But it is crucial to understand that the existence of an IAC is a question of fact based on the nature of the exchange. Characterization of the situation as an IAC or not by the States concerned does not bear on whether one is underway as a matter of international law.

***

Michael N. Schmitt is the G. Norman Lieber Distinguished Scholar at the United States Military Academy at West Point. He is also Professor of Public International Law at the University of Reading and Professor Emeritus and Charles H. Stockton Distinguished Scholar-in-Residence at the United States Naval War College.

Photo credit: NSA