The digital revolution has transformed human societies. The Internet, and more generally computer networks, have become ubiquitous and indispensable for humankind to function, affecting every aspect of modern life. Several significant threats and obstacles, however, challenge the functionality of the Internet and the powerful opportunities that it offers. To start, unequal access to computers and computer networks as well as government censorship limit Internet access. More alarmingly, computer networks can be used for malicious activities that threaten national and international security. Every day, media reports describe cyber operations that target and sometimes seriously hurt individuals, companies, and states. As a result, cybersecurity has become a key issue for global security. Numerous actors now view this new reality as an opportunity to carry out malicious activities that either mimic previous ones or are wholly original. These activities are categorized according to their perpetrators. Cybercrime and cyberterrorism involve non-state actors, while state-sponsored cyber operations are generally labeled cyberwarfare. Cyber espionage can encompass both state and non-state actors.
Academic and political debates in the field of cybersecurity mainly focus on cyberthreats perpetrated by non-state actors, such as individuals, groups, companies, or private military and security companies. Non-state actors are both the main perpetrators and the main targets of malicious cyber activities. Yet cyber threats arising from states or their proxies that target other states should not be neglected. The most harmful and disruptive examples of cyber operations, such as the malware Stuxnet that physically damaged an Iranian nuclear plant or the large-scale distributed denial-of-service (DDoS) attacks against Estonia and Georgia, were, allegedly, state-sponsored.
State-sponsored cyber operations are generally labeled “cyberwarfare,” which is defined as the recourse to cyber means by one state against another. This is neither a legal nor a prescriptive term; it reflects, however, a disproportionate focus on the realm of warfare. Avoiding hasty or overly simplistic characterizations of cyber-related situations as cyberwarfare will help prevent unnecessary conflict escalation and assist targeted states in identifying and applying the appropriate response to each kind of cyberthreat.
What Is “Cyberwarfare”?
State-sponsored cyber operations are generally defined as “cyberwarfare,” but this term is oftentimes inaccurate as most operations fall outside of the realm of (cyber) warfare. What, then, is cyberwarfare and what does it imply? In simple terms, it is the waging of war using computer technology and the Internet. Cyberwarfare is a coin with two misleading sides. On the one hand, it implies that cyber operations amount to or take place during an armed conflict and thus the law of armed conflict is applicable to them. On the other hand, it implies that cyber operations violate the prohibition against the use of force in international law. Since these two situations only occur in a small portion of state-sponsored cyber operations, it is misleading to refer to state-sponsored cyber operations as cyberwarfare.
Non-state actors are both the main perpetrators and the main targets of malicious cyber activities.
Yet cyber operations can occur either during an existing armed conflict, as during the Russo-Georgian conflict in 2008, or can themselves constitute a new armed conflict, although there is no such example to this date. The vast majority of cyber operations neither occur during an existing armed conflict nor constitute a new armed conflict as such. Consequently, this article focuses on cyber operations that occur during times of peace. This allows us to analyze the legal regime applicable to cyber operations, and how victim states can respond to them.
It is important to recall that there are a number of possible classifications of state-sponsored cyber operations that fall outside the realm of cyberwarfare. Most state-sponsored cyber operations do not, in fact, violate the prohibition of the use of force or the law of armed conflict; rather, they violate the territorial sovereignty of the targeted state or the principle of non-intervention. Cyberwarfare is also only the tip of the iceberg, as an entire world of cyber operations below the threshold of cyberwarfare lies submerged. Consequently, it is important not to use the term cyberwarfare in a prescriptive manner based on the narrow understanding of cyber operations it implies. Such an approach risks classifying most state-sponsored cyber operations inaccurately by omitting to consider alternatives.
Nations have adopted strategies to cope with cyber operations in two distinct phases. In the first phase, they dealt with the pressing situation of growing cyber threats and tried to integrate solutions that went beyond simple cyber responses. The urgency of the situation led states to focus on devising more robust military and self-defense strategies. In the second phase that is currently underway, states will need to integrate the wide range of possible classifications of state-sponsored cyber operations into their national strategies. In the process, states can develop responses that are appropriate and effective for all types of cyber threats.
Selected Examples of Alleged State-Sponsored Cyber Operations
2007 – Estonia: On 26-27 April 2007, Estonia experienced violent street protests in the center of its capital Tallinn, mainly by a minority group of Russian descent, after it decided to remove and relocate a bronze war memorial of a Soviet soldier commemorating Russia’s victory in the Second World War. The riots were accompanied by cyber operations that began on 27 April and continued for nearly three weeks until 18 May.
As the cyber attacks were emanating from numerous countries around the world, the Estonian government could not identify the perpetrators. It accused Russia of orchestrating the attacks, but lacked evidence to support its claim. Estonia initially explored the possibility of invoking Article 5 of the North Atlantic Treaty, thus treating the cyber operations as an “armed attack,” triggering the “right of individual or collective self-defense.”[1] This solution was, however, quickly ruled out.
Cyberwarfare is also only the tip of the iceberg, as an entire world of cyber operations below the threshold of cyberwarfare lies submerged.
2008 – Georgia: After Georgia launched a large-scale military offensive in South Ossetia against separatist provocations, an armed conflict erupted between Russia and Georgia from 7 to 12 August 2008. Cyber operations targeting Georgia allegedly started on August 8th, just before the Russian invasion, and lasted until the end of the month.[2]
Cyber operations mainly took the form of website defacements and DDoS attacks. There were also significant levels of e-mail spamming. The targets were the Georgian government and media, as well as some commercial and private actors. Instructions and software to ping flood Georgian websites were available via mainly Russian-speaking blogs, forums and websites. The cyber operations could not be conclusively attributed to a state; the DDoS attacks were identified as coming from many different countries.
2010 – Stuxnet: Stuxnet was a computer worm that infected and disrupted Iranian nuclear facilities in 2007, resulting in the physical destruction of several centrifuges. The worm also infected numerous computers around the world. The Belarusian security company VirusBlokAda initially identified Stuxnet in June 2010. Many alleged that it was designed and launched by the United States and Israel, perhaps with the help of other countries, in order to coerce Iran to modify its nuclear program and abandon its military nuclear ambitions.
2014 – Sony Hack: In 2014, the computer networks of Sony Pictures Entertainment, the American subsidiary of the Japanese conglomerate Sony Corporation, was hacked, and an important amount of data was stolen from the company and released publicly in November 2014. The hackers notably demanded the cancellation of the release of the film The Interview, a comedy about the assassination of North Korean leader Kim Jong-un. US officials alleged that North Korea sponsored the attack, but North Korea denied all involvement.
2016 – DNC Hack: On 22 July 2016, the WikiLeaks website published 19,252 emails and 8,034 attachments stolen from the Democratic National Committee (DNC), the governing body of the Democratic Party in the United States.[3] The leak occurred during the campaign for the 2016 Democratic Party presidential primaries and a few days before the Democratic National Convention. It disrupted the internal voting process and led certain party executives to resign. The party was already aware that it had been hacked a few months before WikiLeaks published the documents and had enlisted the American cybersecurity company Crowdstrike to investigate. In June 2016, Crowdstrike published its conclusions: the hacking was the work of two different groups called Cozy Bear and Fancy Bear, which acted separately yet simultaneously, in the information technology networks of the Democratic Party.[4] These two groups did not limit themselves to the hacking of the Democratic Party; they also targeted the Republican Party (though to a lesser extent) and other institutions including think tanks in the context of the American elections.
On 22 July 2016, the WikiLeaks website published 19,252 emails and 8,034 attachments stolen from the Democratic National Committee.
On 7 October 2016, the Department of Homeland Security and the Office of the Director of National Intelligence published a joint report affirming that the Russian government was responsible for various hacks and the online publication of Democratic Party documents.[5] On 10 October 2016, the White House announced that the US government would adopt a proportionate response and, on 29 December 2016, it launched new sanctions against Russia and certain individuals. President Obama also expelled 35 Russian diplomats from the country, who left US territory on 1 January 2017. Some commentators purport that the United States also used extrajudicial measures, including cyber operations against Russian interests, although these have not been officially acknowledged. In late October 2016, Ukrainian hackers calling themselves Cyber Hunta hacked email accounts associated with Vladislav Surkov, a close advisor to the Russian president, and published emails and documents online. These leaks provided proof of Russian involvement in the separatist movements in eastern Ukraine.[6]
Current Responses to State-Sponsored Cyber Operations
Most states have adopted national strategies to deal with cyber threats, notably those arising from other states. The content of these strategies has been generally influenced by two events. Firstly, the public exposure of the mass surveillance programs conducted by the US National Security Agency (NSA) and the UK Government Communication Headquarters (GCHQ), in cooperation with Australia, Canada and New Zealand, shined the spotlight on espionage practices in the cyber age. Today, states are concerned about cyber espionage as a form of state-sponsored cyber threat.[7]
Secondly, and most importantly, the development of large-scale cyber operations, allegedly conducted by one state against another, led states to explore ways to respond outside of the cyber realm. Large-scale cyber operations that steal data, reveal information, and even produce physical damage to the victim state, have prompted states to consider using kinetic force – e.g. dropping a bomb or launching a military intervention – in retaliation to cyber operations. However, most cyber operations have limited effect, and victim states do not want to publicize the fact that they were attacked. In case of a cyber operation, the victim state will prefer to mitigate the negative effects of the operation or respond through cyber means. Since there is no general prohibition against cyber operations, the victim state will act in a legal grey area.
The cyber attacks against Estonia in 2007 were a watershed in shaping the cybersecurity strategies of NATO and Estonia.
In this respect, the cyber attacks against Estonia in 2007 were a watershed in shaping the cybersecurity strategies of NATO and Estonia, and raising international awareness about the potential consequences of cyber operations. They led to the creation of the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn in August 2008. In 2009, the CCDCOE launched the Tallinn Manual Process, which led to the publication in 2013 of The Tallinn Manual on the International Law Applicable to Cyberwarfare.[8] Although not an official NATO or CCDCOE document, the manual was written by a group of international experts and has become influential in determining how to apply international law to state-sponsored cyber operations and states’ cybers trategies.
Though the Tallinn Manual provides a comprehensive study of cyberwarfare, it deals with other situations quite superficially. A second edition of the manual was published in February 2017 that seeks to apply international law to cyber operations that are below the threshold of cyberwarfare. The cyber attacks against Estonia and the Tallinn Manual reveal two phases in the evolution of cyber strategy. The first phase focused on “cyberwarfare” and how to respond to state-sponsored cyber operations through military means. The second phase, illustrated by the new edition of the Tallinn Manual, expanded the scope to include other possible characterizations of cyber operations and to detail appropriate responses.
Lawfulness of State-Sponsored Cyber Operations
There is no general prohibition against state-sponsored cyber operations, but such operations might violate specific norms of international law, depending on their characteristics and effects. Policymakers have focused on the prohibition of the use of force in international law, and have sought to classify cyber operations as armed attacks that trigger the right of states to self-defense. However, as highlighted in this article, other classifications are possible and, in most cases, more accurate than classifying such operations as armed attacks.
It is important to note that a number of circumstances could preclude cyber operations from being rendered unlawful. This is the case if they are conducted under situations of distress, necessity, or as the result of force majeure.[9] These situations are quite specific and do not apply to most cyber operations; consequently, they are not discussed here. In many respects, state-sponsored cyber operations are comparable to state-sponsored espionage; no general prohibition exists under international law, as each state is willing to preserve its own capacity to conduct such operations.[10]
The prohibition against the threat or the use of force is enshrined in Article 2, Paragraph 4 of the United Nations Charter, and is universally accepted as a norm of customary international law. States are prohibited from using force against each other. Yet the prohibition does not include all types of force; for instance, economic, political or indirect forces are excluded.
The vast majority of cyber operations do not qualify as a use of force and, a fortiori, an armed attack.
Are states prohibited from using cyber force? Cyber operations clearly fall under the prohibition against the use of force, but not all forms of cyber operations amount to a use of force, and thus, not all cyber operations are prohibited. The consequence-based test is generally used to determine whether a cyber operation violates the prohibition against the use of force. The consequence-based approach focuses on the outcomes of cyber operations (virtual consequence, physical destruction, or death); cyber operations that cause physical destruction or death would always qualify as use of force, whereas operations that have non-physical consequences are more controversial.
In a nutshell, a cyber operation must meet two criteria in order to violate the prohibition against the use of force: being state-sponsored, as only states are bound by this prohibition; being of a certain intensity (generally, resulting in physical destruction or death. Stuxnet infected and disrupted the Iranian nuclear program in 2007, physically destroying several centrifuges. It is generally considered the only cyber operation that potentially violated the prohibition of the use of force).
Article 51 of the United Nations Charter asserts that a state needs to be the victim of an armed attack in order to exercise its right of self-defense. Armed attacks are the “most grave forms of the use of force,” according to the International Court of Justice.[11] However, some commentators challenge this interpretation and suggest that the notions of armed attack and use of force are equivalent, which would mean that all use of force triggers a state’s right of self-defense. The distinction between an armed attack and the use of force seeks to avoid disproportionate military action in response to minor incidents, such as border clashes, but this distinction is not clearly agreed upon. The vast majority of cyber operations do not qualify as use of force and, a fortiori, cannot be considered as armed attacks. Accordingly, they do not trigger the right of self-defense. Cyber operations that inflict significant damage and loss of life, such as causing an aircraft to crash or a dam to open, will most likely be considered an armed attack. To date, no cyber operation has seriously been considered an armed attack.
Two conditions must be met for a cyber operation to violate the territorial sovereignty of a state: being attributable to a state; penetrating the computer system of the victim state. There is no required level of damage to deem a cyber operation a violation of a state’s territorial sovereignty. Any state-sponsored cyber operation that penetrates or affects a foreign computer system that is attributable to a state would violate it. Yet some experts, notably within the international group of experts who authored the Tallinn Manual, express doubt that this definition can be applied to cyber operations and argue that damage is a necessary component:
A cyber operation by a State directed against cyber infrastructure located in another State may violate the latter’s sovereignty. It certainly does so if it causes damage. The international group of experts could achieve no consensus as to whether the placement of malware that causes no physical damage (as with malware used to monitor activities) constitutes a violation of sovereignty.[12]
An example from outside the cyber realm reveals how damage is not necessary to confirm that sovereignty has been violated. The mere trespassing of airplanes or ships, for instance, constitutes a violation of territorial sovereignty without any damage requirement.
Denial-of-service (DoS) attacks do not involve the planting of malware into the targeted computers. There is, therefore, no penetration into a foreign system, but they still negatively affect it. For a majority of scholars, the occurrence of the effects within a foreign system suffices to constitute a violation of territorial sovereignty. Consequently, a state-sponsored DoS attack in a foreign state might be considered a violation of territorial sovereignty.
Many believe that Stuxnet was aimed at coercing Iran into modifying its nuclear program and renouncing its military nuclear ambitions. If state sponsorship of Stuxnet could be proved, it would constitute an unlawful intervention.
The 2014 hack of Sony Pictures Entertainment was another interesting example. In a statement released in December 2014, then US Secretary of Homeland Security Jeh Johnson declared that “the cyber attack against Sony Pictures Entertainment was not just an attack against a company and its employees. It was also an attack on our freedom of expression and way of life.”[13] One could see this statement as criticizing the intervention within the context of the internal affairs of the United States. Does the hack of Sony Pictures Entertainment and the resulting situation constitute a violation of the principle of non-intervention? The attribution of this hack to North Korea is still not clear. Moreover, the attack clearly targeted a private actor and not the United States, and thus it cannot be considered an unlawful intervention.
Potential Responses
The right of self-defense is the only circumstance under which a victim state is authorized by international law to use force, including kinetic force such as launching bombs, against cyber operations. The victim state can act in self-defense either alone or in conjunction with other states in collective self-defense. In the case of collective self-defense, at least one of the states must be the victim of an armed attack and must declare that it is the victim of an armed attack. Moreover, the assistance of other states must have been requested by the victim state.
The vast majority of cyber operations do not qualify as a use of force and, a fortiori, an armed attack. Consequently, in such cases, the victim state does not have a right to self-defense and thus cannot recourse to kinetic force.
The recourse to force against cyber operations may be authorized by the Security Council of the United Nations under Chapter VII of the United Nations Charter. The Security Council might indeed designate a specific cyber operation as a “threat to the peace, breach of the peace, or act of aggression” (Article 39) and can thus make recommendations (Article 40) or take measures that can involve armed force (Articles 41 and 42.)
The victim state of an internationally wrongful act – e.g. a cyber operation that violates the rights of the victim state under international law – may take countermeasures against the responsible state. These countermeasures would normally be unlawful, but their unlawfulness is precluded by the unlawfulness of the first act. For instance, the victim state of an unlawful state-sponsored cyber operation can respond by launching a cyber operation against the responsible state. The unlawfulness of this cyber operation taken in response to the initial operation will be precluded, as it constitutes a countermeasure. There are several criteria to constitute a countermeasure:
- Being taken in response to an unlawful act by the responsible state;
- Being taken after asking the responsible state to cease its act;
- Being notified by the reacting state prior to launching countermeasures, unless the countermeasures are urgent;
- Being proportionate;
- Being terminated as soon as the violation of international law – e.g. the first cyber attack – has ceased.
Most state-sponsored cyber operations are unlawful under international law. If taken as a countermeasure, their unlawfulness could be precluded. Outside of the cyber realm, countermeasures can, for instance, include economic coercion.
Measures of retorsion are acts that are not unlawful. They are generally unfriendly acts taken in response to a prior unfriendly act. The lawfulness of certain kinds of cyber operations might still be debatable, and thus they could be considered as not breaching the rights of the victim state guaranteed under international law. Under such circumstances, international law does not allow the victim state to take unlawful measures against the responsible state. In most cases, state-sponsored cyber operations violate international law but do not amount to an armed attack. Consequently, the victim state cannot recourse to military measures in response, but can recourse to countermeasures such as unlawful cyber operations or economic coercion.
[1] North Atlantic Treaty, Article 5: “The Parties agree that an armed attack against one or more of them in Europe or North America shall be considered an attack against them all and consequently they agree that, if such an armed attack occurs, each of them, in exercise of the right of individual or collective self-defense recognized by Article 51 of the Charter of the United Nations, will assist the Party or Parties so attacked by taking forthwith, individually and in concert with the other Parties, such action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area. Any such armed attack and all measures taken as a result thereof shall immediately be reported to the Security Council. Such measures shall be terminated when the Security Council has taken the measures necessary to restore and maintain international peace and security.”
[2] Eneken Tikk, Kadri Kaska, and Liis Vihul, “International Cyber Incidents: Legal Considerations,” NATO Cooperative Cyber Defence Centre of Excellence, 2010, pp. 68–90, http://www.ccdcoe.org/publications/books/legalconsiderations.pdf
[3] Karen Tumulty and Tom Hamburger, “WikiLeaks Releases Thousands of Documents about Clinton and Internal Deliberations,” The Washington Post, 22 July 2016, https://www.washingtonpost.com/news/post-politics/wp/2016/07/22/on-eve-of-democratic-convention-wikileaks-releases-thousands-of-documents-about-clinton-the-campaign-and-internal-deliberations/
[4] Dmitri Alperovitch, “Bears in the Midst: Intrusion into the Democratic National Committee,” Crowdstrike, 15 June 2016, https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
[5] Department of Homeland Security and Federal Bureau of Investigation, “Joint Statement from the Department of Homeland Security and Office of the Director of National Intelligence on Election Security, Homeland Security,” 7 October 2016, https://www.dhs.gov/news/2016/10/07/joint-statement-department-homeland-security-and-office-director-national; Ellen Nakashima, “U.S. Government Officially Accuses Russia of Hacking Campaign to Interfere with Elections,” Washington Post, 7 October 2016, https://www.washingtonpost.com/world/national-security/us-government-officially-accuses-russia-of-hacking-campaign-to-influence-elections/2016/10/07/4e0b9654-8cbf-11e6-875e-2c1bfe943b66_storyhtml?utm_term=.83a87b1a2451
[6] Andrew Buncombe, “Russia Hacked: Putin’s Aide Has Secrets Spilled by Ukrainian Group, Sparking Suspicions of Proxy Cyberwar,” Trump V Clinton, October 28, 2016, http://trumpxclinton.com/widget-horizontal/
[7] It is essential to understand the diversity of cyber operations and to not reduce them to cyber espionage conducted from the territory of the perpetrating state. The latter tend to mislead us in a situation where we cannot see the forest for the trees. Cyber espionage indeed receives most of the public’s attention. Cyber espionage conducted on the data transiting on the territory of the perpetrating state does not violate the territorial sovereignty of the targeted state, but this conclusion cannot be extended to all kinds of cyber operations. One notable exception is when states are penetrating ICT infrastructure located on the territory of targeted states.
[8] Michael N. Schmitt, ed., The Tallinn Manual on the International Law Applicable to Cyber Warfare, (London: Cambridge University Press, 2013)
[9] See generally on the circumstances precluding wrongfulness: James Crawford, Alain Pellet, and Simon Olleson eds., The Law of International Responsibility, (New York: Oxford University Press, 2010), pp. 427-502; James Crawford, State Responsibility: The General Part (Cambridge: Cambridge University Press, 2013), pp. 274-324.
[10] Fabien Lafouasse, L’espionnage Dans Le Droit International, Collection Le Grand Jeu [Spying in International Law, the Great Game Collection] (Paris: Nouveau monde, 2012), p. 25; Fabien Lafouasse, “L’espionnage En Droit International” [Spying in International Law], Annuaire Français de Droit International, Vol. 47, No. 1 (2001), pp. 63–136; Christian Schaller, “Spies,” MPEPIL, April 2009; Roger D. Scott, “Territorially Intrusive Intelligence Collection and International Law,” Air Force Law Review, Vol. 46 (1999), pp. 217–18.
[11] “Military and Paramilitary Activities in and against Nicaragua,” Nicaragua v. United States of America, Merits, I.C.J. Reports, Vol. 14, No. 101 (1986), pp. 191.
[12] Michael N. Schmitt, ed., The Tallinn Manual on the International Law Applicable to Cyber Warfare, (London: Cambridge University Press, 2013), p. 16.
[13] “Statement by Secretary Johnson On Cyber Attack On Sony Pictures Entertainment,” US Homeland Security, 19 December 2014, http://www.dhs.gov/news/2014/12/19/statement-secretary-johnson-cyber-attack-sony-pictures-entertainment