By Ann Väljataga, Law Researcher, NATO Cooperative Cyber Defence Centre of Excellence. The article below is a summary of Ann Väljataga, ‘Tracing Opinio Juris in National Cyber Security Strategy Documents’, NATO CCD COE, Tallinn, 2018.
In this study, Ann Väljataga, a law researcher at the NATO Cooperative Cyber Defence Centre of Excellence, reviews the national cyber strategies of the United States, United Kingdom, Netherlands, China, France, Russia and Australia. She examines the cyber strategies in the context of sovereignty, foreign interference, thresholds to be considered an attack, the sufficient grounds for assigning responsibility/attribution and, lastly, how states might respond. The following paragraphs are a summary of the salient points of Väljataga’s study.
With cyber law still in the early stage of formation, opinio juris could at least, ideally, compensate for underdeveloped and / or incoherent legal practice, since strong positions regarding national postures in cyberspace as of now are still more often expressed or communicated than practiced. Ms Väljataga writes that, since international law is ultimately made by states and states alone, national declarations expressed in National Security Strategies, though not containing legally binding norms, reflect the nation’s overarching belief in existing or desired norms. Consequently, and while they tend to be, intentionally, overly generic and cautious, they contain aims that states deem realistic, desirable and achievable and reveal prevalent legal opinion.
Having no formally recognized obligations with respect to sovereignty in cyberspace allows states to conduct cyber operations on other nations without contravening international law. At the same time, this void weakens any protection international laws would offer against cyberattacks. National positions vary on cyber sovereignty, ranging from its perception as an infringement-immune environment (as in the cases of the US and UK where the concept is as abstract as the principle of sovereignty itself ) to where infringements are advocated as binding in nature, as in the case with the bi-national accord between Russia and China. Sovereignty implies obligations and, therefore, due diligence, meaning an expectation of exerting a reasonable amount of control over national cyberspace infrastructure. For some this opens up an avenue to permit more aggressive states to operate with a degree of impunity, but is intended to mean the duty to pursue controls over infrastructure just as nations foster support to countering international terrorism. In the end, any obligations from due diligence depends on context.
Based on the review of the national cyberspace strategies the following conclusions can be reached:
- Sovereignty applies in cyberspace.
- Sovereignty can be threatened and needs to be protected.
- Due diligence follows from cyber sovereignty (and is sometimes interpreted to involve a level of capacity building to assist those nations unable to contribute to the global effort).
- There is no agreement in whether or how cyber due diligence can be the basis of state responsibility.
Regarding foreign interference, the author references Australia’s international cyber strategy and foreign policy documents both announcing its intention to exercise strict sovereign control to protect the integrity and cohesion of its borders and infrastructure from coercive power. Unwanted foreign influence includes hybrid and information operations, and though perhaps not technically unlawful in themselves, constitute breaches of sovereignty according to Australia. This differs from the US and the UK who argue that a breach of cyber sovereignty is not a wrongful act since sovereignty is an underlying principle and not a binding rule, and that something more grave, a clearly prohibited intervention in domestic affairs, would mark the threshold for a wrongful act. US strategy avoids cyber sovereignty terminology throughout the document. UK strategy notes cyberspace as just a sphere in which national interests must be defended to contribute to broad national security, just as actions in the physical sphere. This leads to the question whether something that cannot be violated should be defended. Ultimately, no state commits to recognizing foreign intervention (such as election meddling) as prohibited and justifying proportionate countermeasures, nor whether cyber espionage is anything more than a legally-controversial but necessary evil.
Threshold as Use of Force / Armed Attack
There is no agreed upon threshold to trigger a nation to respond. If the UK position on cyber sovereignty is obscure, the criteria for the threshold for necessitating a response in self-defence is not much clearer. An attack on the banking system causing severe financial damage to the state and economic security for the people would constitute a use of force. A cyber-attack on the scale of one against nuclear reactors or Air Traffic Control resulting in large scale loss of life is considered grave, an attack on the scale of which reaches the threshold to trigger the UK to take action in self-defence. Cyberattacks leading to serious disruptions with long-term consequences, such as on the financial systems or government preventing the execution of essential services is the threshold for the Netherlands to qualify as an armed attack and to assert its right to defend itself. Australia caveats some of the parameters to assess threshold such as the intent, whether the effects are direct or indirect and whether the cyber activity could have reasonably been expected to cause extensive damage, destruction or loss of life. However, they also express concern about the cumulative effect on international peace and security of continual low-scale, malicious activity, that they can be treated as reaching the threshold of armed attacks if / when their cumulative effects achieve the same scale. Many of the strategies merely hypothesize of the possibility of cyberattacks reaching the scale of an armed attack but few offer specific examples. Ms Väljataga concludes that there is no factual consensus on what consequences meet the criteria of either the use of force or an armed attack and remarks that grave kinetic consequences are not always viewed as the absolute litmus test.
Ms Väljataga indicates there was a breakthrough in 2014 with respect to attribution with the attack on Sony being publicly attributed to North Korea, and again with the US indictment in 2017 of two Russians for hacking, espionage and other criminal activity conspiracy. Germany was the target for a number of attacks from 2015 – 2016 on its parliament and parties and attributed these and the world-wide NotPetya virus (of 2017) to actors with ties to Russia. The author cites the most clear-cut attribution to date being a 14 Oct 2018 news release from the UK whereby the Foreign Office candidly, and with high confidence, accused Russian foreign intelligence services of conducting four major cyberattacks that constituted a flagrant violation of international law. Overall, however, the predominant tendency is for states to concede that attribution is difficult to achieve and advancement is required through sharing intelligence and enhancing digital forensics. The French believe attribution is a state level function, part of state duty for practicing due diligence discussed earlier, while the Netherlands support a three-part formula, requiring technical (detection) and political attribution as prerequisites to legal attribution. Most incidents for which there has been public attribution have not progressed beyond the technical and political levels, perhaps because closer discrimination would bring into question what counts as effective control over infrastructure. Consequently, attribution is looked upon more as a naming and shaming method for deterrence. The US refrains from legal terminology altogether indicating its intentions to attribute and deter through swift, costly and transparent consequences. Overall, the national strategies have very little reference to legal attribution at this time.
The Netherlands indicates in its 2018 cyber strategy that it is open to the integration of offensive cyber actions as well as contributing same to NATO operations. Also, for instance the Czech strategy has direct examples of their capacity and intention of developing capabilities to respond (defensive and offensive) and the UK has expressed intentions to become the world leader in offensive cyber capabilities. The Australian strategy includes an array of responses including, but not limited to, offensive cyber capabilities, followed by the explanation that they will only be deployed in accordance with the principle of proportionality. The French would include measures to characterize and neutralize the attack to include influencing systems at the origin, including the possibility of pre-emptive as well as anticipatory defence measures. The UK aims to have the capability to respond to cyberattacks as it does to any other attack and by whatever means is the most appropriate, including cyberattacks to cause damage, disruption or destruction. The author points out that collective countermeasures are currently prohibited under positive international law, which raises the question how NATO can legally employ sovereign offensive cyber capabilities provided voluntarily by Allies for operations. However, all of the strategies examined acknowledge that the majority of cyber operations at the moment take place below the threshold of armed attack and, correspondingly, emphasis has shifted from self-defence to countermeasures. Consequently, national strategies are trending toward prevailing over the ban on collective countermeasures in cyberspace whether in near or farther future.
The author concludes that cyber opinio juris is in a formative stage, almost always extremely vague and discreet. However, national cyber security strategies can contain legally binding norms states intend to convey to the international community. Sovereignty is recognized predominantly as a parameter that can be violated and for which states have obligations and responsibilities. All nations condemn foreign interference via cyber, but there are no agreed-upon criteria for categorizing the use of force or an armed attack. It is generally accepted that countermeasures (including collective and anticipatory) not self-defence alone, are the key to combatting cyberattacks, and some strategies introduce legal aspects on attribution for consideration.
Questions to Stimulate Discussion:
Considering Command and Control (C2) of Multi-Domain Operations (MDO), does having the decision for both thresholds for attack and attribution at the political level inhibit operational commanders from responding in a timely fashion with appropriate countermeasures and through any domain?
Can mechanisms be put in place to expedite C2 and liaison between political and operational levels if decisions with respect to threshold and attribution remain at higher levels. Can this be expedited to something similar to the executive decision scenario between the Commander-in-Chief and the Commander of a Ground-Based Air Defence Unit on whether to engage a hijacked Aircraft?
Is it feasible to create Rules of Engagement (ROEs) to the potential of decision-making hindering the Commander’s OODA loop?