The Applicability of International Law to Cyber Operations: Towards a New Legal Paradigm

by Nicolas Sensenbrenner   Spring 2019

Cyberattacks have increasingly become a concern for international actors, yet there is currently no international agreement regarding cyber operations. Several cyber operations in recent years, namely ‘Stuxnet’ and the DDOS attack in Estonia, stand out as warning signs for politicians and cybersecurity experts. This paper argues that the international community should develop a comprehensive and binding accord that prohibits the use of cyber operations for nefarious objectives. Using the ‘lex-lata’ framework conceptualized by the Tallin and Tallin 2.0 manuals, this paper explores how principles of customary international law apply to cyberspace and addresses challenges in adopting the aforementioned agreement. 

              Cyberattacks have become major political and corporate preoccupations over the past decade. The internationalization of computer networks and information infrastructure has connected the most remote regions of the world to more technologically advanced countries. The benefits of cyber integration are well-documented and have yielded net benefits for states and firms. Recently, however, cyberspace has increasingly become a concern because it provides a platform for attackers to control, disrupt, and manipulate computer networks and potentially harm various international actors. Currently, there is no international agreement regarding cyber operations.

       The international legal community should develop a comprehensive, cohesive, and binding accord that reinforces the prohibition of the use of cyber operations for nefarious objectives. The accord must properly define a ‘cyber operation,’ enforce international law prohibiting the use of force in cyberspace, address issues relating to attribution, jurisdiction, sovereignty, and international responsibility, and, most importantly, be flexible enough to accommodate the ever-changing landscape of cyber-threats. This is a long list of demands for an issue as contentious as cybersecurity. However, they are important for states to address in order to guarantee long-term security in the realm of cyberspace.

            A few ‘cyber operations’ in the last decade stand out as warning signs for politicians and cybersecurity experts. The Russian-led cyber operation against Estonia, in 2007, the ‘Stuxnet’ virus that disrupted an Iranian nuclear facility, in 2010, and various ‘ransomware’ breaches of major U.S. corporations over the past couple of years have embedded ‘cyber-attack’ into the vernacular and propelled the issue of cybersecurity to the forefront of the political agenda. Yet there is no binding global accord to properly characterize and punish perpetrators of hostile cyber operations. Cyberspace, the so-called fifth battleground, introduces challenges to the existing international legal order. As noted by Tarah Wheeler in  Foreign Policy, “cyber warfare does have rules, but they are not the ones we are used to1.”

                                                 An Introduction to Cyber Operations

            This paper will employ the following definition of cyber operations: a cyber operation, “consists of any action taken to undermine the functions of a computer network for a political or national security purpose2.” This definition follows the objectives-based approach where “objective” means direct targeting to undermine the function of a computer network3.  Examples of various ‘cyber operations’ of interest are described in the following section.

            The ‘Stuxnet’ malicious computer worm is the most striking example of the disruptive effects that nefarious cyber operations can have. First discovered in 2010, the worm targeted the supervisory control and data acquisition (SCADA) systems of Iran’s Natanz uranium enrichment facility with the intention to disrupt the facility.   The virus had two effects on the facilities operating system. First, it sent thousands of centrifuges spinning out of control, effectively destroying them. Secondly, it transmitted normal readings back to the central command of the facility so that everything appeared to be operating as normal4. Although no country has claimed responsibility for the attack, the bug is thought to have been jointly developed by American and Israeli military intelligence5. Michael Hayden, former director of the CIA and NSA6, referred to Stuxnet as “the first attack of a major nature in which a cyberattack was used to effect physical destruction”;Stuxnet has not only proved that cyber operations are as, if not more, effective than conventional military operations, but, moreover, that the international community is ill-equipped to deal with emerging threats in cyberspace.

            A distributed denial of service (DDOS) attack is a cyber operation that floods the targeted computer network, usually from thousands of distributed botnets (i.e., “zombie computers,”) in an attempt to overload the system and prevent the network from functioning properly7. The most recent example of a large-scale DDOS attack was the 2016 Dyn cyberattack, where major Internet platforms and services were unavailable to users across Europe and North America8. However, academics most frequently cite the 2007 Estonia cyber-attack as the first major politically motivated cyber operation. The DDOS attack on Estonia prompted the North American Treaty Organization Cooperative Cyber Defense Centre of Excellence (NATO CCD COE) to draft a manual addressing the issue of how to interpret international law in the context of cyber operations and cyber warfare9.

            The Tallinn Manual on the International Law Applicable to Cyber Warfare was published in 2013, after four years of work by a group of twenty international experts. The manual is an academic, non-binding, study that formally addresses the issue of how to interpret traditional international law in the context of the evolving nature of cyber warfare10. The manual strictly addresses the applicability of cyber warfare as it relates to the jus ad bellum principle of ‘use of force’ and jus in bello norms of armed conflict11.The manual includes 95 rules that closely resemble those of existing treaty norms as well as their applicability to Lex lata, the law currently governing cyber conflict12. It is important to note, however, that the focus of the manual is on cyber operations that surpass a minimum threshold amounting to a ‘use of force’ and that the manual was intended as a purely independent, academic publication13.

                            The Applicability of Existing International Law to Cyber Operations

            The only international legal regime that currently governs cyber operations is the U.N. Charter and the accompanying principles and norms. Specifically, jus ad bellum informs international laws most relevant to the use of force. Under the current paradigm, interstate cyber activity is treated the same as traditional operations, such as the deployment of kinetic weapons. While jus ad bellum is applicable to a wide range of offensive operations and has succeeded in its goal to prevent another great war, there are limitations in its applicability to emerging developments in cyberspace.

            Article 2(4) of the U.N. Charter codifies the prohibition of the use of force between states. According to the charter, “all Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any manner inconsistent with the Purposes of the United Nations.”14, 15 In an advisory opinion on the Legality of the Threat or Use of Nuclear Weapons, published by the ICJ in 1999, the prohibition of the use of force applies, “to any use of force, regardless of weapons employed16.”

            To determine whether a cyber operation constitutes a violation of Article 2(4) of the U.N. Charter, the scope of the use of force must be assessed in context. Rule 11 of the Tallinn Manual states that, “a cyber operation constitutes use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force17”. To reach this conclusion, the International Group of Experts referred to the ICJ’s ruling in the Nicaragua case. Specifically, the Court identified ‘scale and effect’ as the criteria to, “distinguish the most grave forms of the use of force (those constituting an armed attack) from other less grave forms18.”The minimum threshold considered to be a use of force is characterized by a cyber operation designed to cause death or injury to persons or the destruction, physical damage, or functional harm to objects or infrastructure19. The Stuxnet virus would likely surpass the minimum ‘scale and effect’ threshold outlined by the Tallinn Manual and the ICJ as it caused physical damage to infrastructure.

            The difficulty lies, however, in characterizing cyber operations that have not caused death, injury, destruction, damage, or harm to persons, private property, or infrastructure. Furthermore, the travaux préparatoires of the U.N. Charter demonstrate that the prohibition of force does not include economic or political coercion20. Therefore, DDOS operations that target financial, logistical, or civilian network and result in economic losses would not amount to the use of force under customary international law21. As of the writing of this paper, the international legal community has not reached a consensus on the definitive threshold to quantitatively and qualitatively characterize a cyber operation as an unlawful use of force under UN standards22. However, various frameworks developed by legal scholars analyze the theoretical minimum threshold that would constitute a use of force under international law. To characterize the degree and severity of a cyber operation, the damage must surpass a ‘minimum threshold.’

            The most widely accepted framework to determine whether a cyber operation can be characterized as a ‘use of force’ is the effects-based approach. There are six factors to consider under this approach: severity, immediacy, directness, invasiveness, measurability, and presumptive legitimacy23. States must consider these factors inter alia when deciding whether to characterize an action as a use of force. Of these six, the most significant factor to consider is severity. Specifically, severity refers to the, “physical injury or property damage that must arise as a direct and foreseeable consequence of the [cyber operation] and must resemble the injury or damage associated with what, at the time, are generally recognized as military weapons24.” In this case, however, the de minimis rule applies. Absent extreme situations, actions that affect critical national interests are more likely to be considered a use of force25. In summary, the effects of a cyber operation, specifically the severity of the action, should be the determining factor.

                                Developments in Legal Opinion regarding Cyber Operations

            The analysis, so far, has concentrated on the applicability of jus ad bellum, specifically Article 2(4) of the U.N. Charter, to cyber operations that amount to the use of force. However, most cyber operations fall below the minimum threshold and Article 51 cannot be invoked. The next part of this paper deals with cyber operations that fall below the minimum threshold and are not governed by existing international law. To do so, this paper will use the framework put forth by Tallinn 2.0,  the updated publication of the original from 2013, to discuss the importance of an internationally coordinated convention addressing cyber operations. Furthermore, this paper will discuss the challenges facing the international community in regulating cyber operations.

 

            In 2017, the NATO CCD COE’s international group of experts released Tallinn 2.0, an updated version of the original manual which focuses on the applicability of international law to cyber operations that do not rise to the level of an armed attack outlined in Article 2(4)26.  According to Michael Schmitt, the leader of the group of experts, the new manual, “adds a legal analysis of the more common cyber incidents that states encounter on a day-to-day basis and that fall below the thresholds of the use of force or armed conflict27 .”Tallinn 2.0 must be understood as an expression of opinions by the international group of experts28. It “is not a ‘best practices’ guide, does not represent ‘progressive development of the law,’ and is policy or politics-neutral. In other words, Tallinn 2.0 intended to be an objective restatement of lex lata29,” like the original manual.

            Tallinn 2.0 focalizes on general legislation considered to be most important in addressing future cyberspace issues. The remainder of this paper will focus on several key concepts derived from customary international law and how they apply to cyber operations, namely sovereignty, jurisdiction, international responsibility, and the prohibition of intervention.

            The first rule of Tallinn 2.0 states that “the Principle of Sovereignty applies to cyberspace30”. As Eric Jensen argues in The Tallinn Manual 2.0: Highlights and Insights, “sovereignty is a principle that gets applied based on the practical imperatives of states, rather than as a uniform rule of international law…sovereignty has been applied differently by the international community depending on the practice of states…resulting in disparate legal paradigms31.” 

            The next area of Tallinn 2.0, relevant to this analysis, relates to the concept of jurisdiction. The manual defines jurisdiction as, “the competence of States to regulate persons, objects, and conduct under their national law, within the limits imposed by international law32.” In essence, “cyber activities and the individuals who engage in them are subject to the same jurisdictional prerogatives and limitations as any other form of activity33.” These prerogatives include prescriptive and enforcement jurisdiction as it applies to cyber operations. The traditional notion is based on the legal ability of a state to exercise authority beyond its boundaries. In the case of cyber operations, it is often difficult to trace an operation to a specific state or source.

            Despite this challenge, a silver lining emerges in the section of Tallinn 2.0 relating to the law of international responsibility. Rule 14 states that, “[a] State bears international responsibility for a cyber­ related act that is attributable to the State and that constitutes a breach of an international legal obligation34.” This law derives, lex lata, from the International Law Commission’s Articles of State Responsibility35. For instance, actions undertaken by the NSA and CIA could be attributed to the U.S., according to Articles 4 and 5 of the Articles of State Responsibility36. The same logic applies to other actors that are dependent on or have partnerships with states, such as private government contractors. Attribution in these cases is relatively straightforward.

            The final area of interest in this analysis is the principle of non-intervention as it applies to cyber operations. Rule 66 of Tallinn 2.0 asserts that: “A State may not intervene, including by cyber means, in the internal or external affairs of another State37.”However, this rule only prohibits coercive interference38 in the state’s domaine réservé to include influencing the “choice of a political, economic, social, and cultural system, and the formulation of foreign policy39. The majority of experts concluded that coercion must be implemented and “designed to influence outcomes in…a matter reserved to a target State40.” 

                                         Challenges facing the International Legal Community

            The problem related to how international law applies to cyber operations is inherently political. Governments, in general, disagree on how they should operate within cyberspace. Even among Western democracies, there is still significant uncertainty about the best approach to these issues. After the political fallout from the Snowden affair, the U.S., for example, argued, “its international legal obligations to protect privacy did not apply to its foreign surveillance activities41.” This position incensed allies and created yet another political hurdle to overcome. The potential for disagreement is even wider between democracies and authoritarian states.

                                                                                          Conclusion

            There is currently no international legislation governing cyber operations. There lacks a clear and internationally accepted legal definition of ‘cyber operations,’ no formal threshold to determine the severity of a given action, and there are still problems related to attribution and jurisdiction. Furthermore, the nature of cyberspace is changing so rapidly that any new treaty would be rendered obsolete upon its ratification. The lack of a cohesive and binding agreement severely limits states in addressing current and emerging cyber threats. If countries experience thousands of cyber-attacks a year, the legislative and enforcement process would become a burden and would not punish perpetrators in a timely manner.

            An international cybersecurity accord would serve two purposes. First, as mentioned before, it would properly address cyber operations that do not amount to the traditional use of force and create a common system for evaluating the ‘scale and effect’ of any given malicious cyber activity. It would also provide a framework to properly attribute attacks and promote capacity and confidence-building within the international community. Second, and most importantly, the accord would serve as a deterrent for states with advanced cyber capabilities and create a collective international responsibility system that would enforce the legislation and incentivize playing by the rules.

            For the accord to be realized, there are significant political hurdles to be overcome between states. First, states must properly and transparently define cyber sovereignty. This is problematic for states with advanced cyber capabilities as they must adhere to their concept of sovereignty while not violating it themselves; states must balance their national security interest with the interests of the international community. Secondly, it will be difficult to establish a common legal opinion among states on how international law currently applies to cyberspace and what steps to take in the future.

            Cybersecurity lies at the intersection of politics, economics, and security. Any international treaty governing cyber operations would need to be politically viable, economically sound, and strike a balance between national security and international solidarity. The costs of implementing an accord, in the form of political capital, are high, but the costs of inaction are even higher. If states fail to reach an agreement in a timely manner, they might look back at this time as a watershed moment.

 

                                                                              REFERENCES

 

  1. Brownlie, I. (1963). International Law and the Use of Force by States. pp.362, 431.

  2. Columbia Journal of Transnational Law. (1998). Michael N. Schmitt, “Computer Network Attack and the Use of                   Force in International Law. Thoughts on a Normative Framework,”. 37, p.914.

  3. Council on Foreign Relations (n.d.). "The U.N. GGE on Cybersecurity: How International Law Applies to                               Cyberspace.”. Available at: http://www.cfr.org/blog/un-gge-cybersecurity-how-international-law-applies-                       cyberspace.

  4. Documents of the United Nations Conference on International Organization. (1945). VI, pp.559,720–721

  5. Etherington, D. and Conger, K. (2019). Available at:

                        https://fromthetrenchesworldreport.com/many-sites-including-twitter-shopify-and-spotify-suffering-outage/173751.

    6. Hathaway, O., Crootof, R., Levitz, P., Nix, H., Nowlan, A., Perdue, W. and Spiegel, J. (2012).

                      The law of cyber-attack.. California Law Review, pp.817-885. pp 11.

    7. Hathaway, O., Crootof, R., Levitz, P., Nix, H., Nowlan, A., Perdue, W. and Spiegel, J. (2012).

                     "Understanding Denial-of-Service Attacks." California Law Review, 22.

    8. J. Broad et al, W. (2011). “Israeli Test on Worm Called Crucial in Iran Nuclear Delay,”. New York

                     Times.

    9. Jensen, E. (2016). "The Tallinn Manual 2.0: Highlights and Insights.". p.742.

   10. International Law Common, Draft Articles on Responsibility of States for Internationally                                

                  Wrongful Acts,.Doc. A/56/10.

  11. Lanxon, N., Kahn, J. and Brustein, J. (2019). Available at:

                 https://www.bloomberg.com/news/articles/2016-10-21/internet-service-disrupted-in-large-parts-of-eastern-u-s.

12. Leetaru, K. (2018). "What Tallinn Manual 2.0 teaches U.S. about the new cyber order.".

                 Legality of the Threat or Use of Nuclear Weapons, advisory opinion. § 39.

13. Melzer, N. (2011). Cyberwarfare and international law. United Nations Institute for

                 Disarmament Research. Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), I.C.J.

                ¶ 19 (1986).

14. Nakashima, E. and Warrick, J. (2012). "Stuxnet Was Work of U.S. and Israeli Experts, Officials

               Say.". Available at: https://www.washingtonpost.com/world/national-security/stuxnet-was-work-of-us-and-israeli-

               experts-officials-say/2012/06/01/gJQAlnEy6U_story.html?noredirect=on&utm_term=.57d1fdb8b922.

15. Responsibility of States for Internationally Wrongful Acts. G.A. Res. 56/83.

16. Stanford Journal of International Law. (2012). Daniel B. Silver, in: Stephenie G. Handler, “The New Cyber

               Face of the Battle. Developing a Legal Approach to Accommodate Emerging Trends in Warfare,”. 48, p.13.

17. Schmitt, M. (2013). Tallinn manual on the international law applicable to cyber warfare.

              Cambridge University Press, p.18.

18. Schmitt, M. (2013). Tallinn manual on the international law applicable to cyber warfare.

              Cambridge University Press, p.47.

19. Schmitt, M. (2017). Tallinn Manual 2.0 on the international law applicable to cyber operations.                       

             Cambridge University Press, p.51.

20. Schmitt, M. (2013). Tallinn manual on the international law applicable to cyber warfare.  Cambridge

             University Press, p.52.

21. Schmitt, M. (2017). Tallinn Manual 2.0 on the international law applicable to cyber operations. Cambridge

             University Press, p.312.

22. Schmitt, M. (2017). Tallinn Manual 2.0 on the international law applicable to cyber operations. Cambridge

             University Press.

23. Schmitt, M. (2013). Tallinn Manual on the International Law Applicable to Cyber Warfare.

             New York, United States of America: Cambridge University Press.

24. HLS PILAC. (n.d.). Tallinn 2.0 Project. Available at: http://pilac.law.harvard.edu/tallinn-20-  project/.

25. Wheeler, T. (2019). “In Cyberwar, There Are No Rules.” Foreign Policy. Available at:

              http://foreignpolicy.com/2018/09/12/in-cyberwar-there-are-no-rules-cybersecurity-war-defense/.

26. Williams, C. (2012). “Barack Obama ordered Stuxnet cyberattack on Iran,”.

California Law Review, (2012) 817-885. pp 11.

4 New York Times (2011).

6 The Telegraph (2012).

10 Ibid.

11 Schmitt (2013).

13 Ibid.

17 Schmitt (2013).

18 (Nicar. v. U.S.), 1986 I.C.J. 14, ¶ 191.

22 Ibid, pp. 9.

21 Brownlie (1963) and Melzer (2011).

20 Documents of the United Nations Conference on International Organization, vol. VI, (1945), pp. 559, 720–721.

19 Schmitt (2013, Brownlie (1963, and Melzer (2011).

24 Stanford Journal of International Law, Vol. 48, (2012), p. 13.

26 Tallinn 2.0 Project.

27 Forbes (2018).

28 Schmitt (2017).

29 Ibid. at 9.

33 Ibid. at 51.

34 Ibid. at 84.

35 International Law Common Draft Articles on Responsibility of States for Internationally Wrongful Acts.

38 Ibid. at 313, ¶ 4.

40 Ibid. at 318, ¶ 19.

The editorial staff of The Law Review at Johns Hopkins does not endorse the opinions expressed in individually published articles.

1 Wheeler (2018)

3 Ibid. pp. 11, 17.

5 The Washington Post (2012).

7 California Law Review (2012).

8 Etherington and Conger (2018).

9 Schmitt (2013).

12 Ibid, pp. 19.

14 U.N. Charter arts. 2(4), 42, 51.

15 G.A. Res. 3314.

16 International Court of Justice, Legality of the Threat or Use of Nuclear Weapons, advisory opinion, 1996, § 39.

23 Columbia Journal of Transnational Law, Vol. 37, (1998-99), p. 914.

25 Schmitt (2013).

30 Ibid. at 11.

31 Jensen (2016).

32 Schmitt (2017).

36 Schmitt (2017), supra.

37 Schmitt (2017).

39 Ibid. at 315, ¶ 8.

41 Council on Foreign Relations.

© 2019 by The Law Review at Johns Hopkins.

All rights reserved.

This site was designed with the
.com
website builder. Create your website today.
Start Now