International Law and Conflict in Cyberspace: Attribution, Consequences, and the Development of Norms
CyCon US offered a number of opportunities to hear from experts on international law. We listened to two of them: a panel on the Tallinn Manual, and a paper on standards for attribution.
"The Future After Tallinn Manual 2.0."
NATO's Tallinn Manual has become one of the principal documents addressing the ways in which the laws of armed conflict are being extended to cyberspace. It's now in version 2.0, and a panel of experts discussed the Manual's background, purposes, and use. On November 7, 2017, Robert Barnsby (Cyber Law Fellow for the Army Cyber Institute and Assistant Professor in the Department of Law at West Point) moderated a panel composed of Colonel Gary Corn (Staff Judge Advocate for United States Cyber Command), Michael Schmitt (Professor of Public International Law, University of Exeter), Liis Vihul (CEO, Cyber Law International, and former managing editor of the Tallinn Manual 2.0), and Brigadier General Jen Buckner (Deputy Commander, Operations, US Cyber Mission Force). Schmitt and Vihul were involved in preparing Tallinn 2.0; the others have extensive experience with it and the operations it covers. The discussion as a whole was marked by an interesting exchange of views on the principle of sovereignty between Schmitt and Corn.
The law as it is, not as we would have it be.
Schmitt opened the discussion by stressing that the Tallinn Manual was written to reflex lex latta, the law as it is, not lex ferenda, the law as it ought to be. "We wanted the manual to be credible. Our audience consisted of judge advocates, legal advisers to ministries of foreign affairs," he said. "They don't need what Mike Schmitt hoped the law would be. They need to know what the law was." There were disagreements during the Manual's drafting, of course, and where such disagreements arose, Schmitt said the authors resolved them by concentrating on what the law actually was.
One area of disagreement appears to be sovereignty—the principle that a state has exclusive sovereignty over its own affairs, within its own territory. Corn thought that sovereignty might not constitute a binding rule of law. He mentioned US Army Chief of Staff Milly's remarks on the correlation between dispersal and lethality, and said that this was "absolutely something that's happening in the virtual space." The Tallinn Manual represents the translation of existing frameworks into new technologies, and it's possible to see the stress those technologies place on existing areas of law. He didn't dispute, he clarified, that sovereignty was a principle, but rather that it constituted a binding rule. He thought that, instead of a simple invocation of sovereignty in cases of cyber conflict, we rather seek to arrive at some threshold of consequence and harm. This is the sort of due diligence that's necessary, as a practical guide to operations and planning.
Vihul viewed sovereignty not only as an underlying principle, but as a "red line" in relations among states. The Sony hack is a good example. In her view, if that was indeed carried out by the North Korean government, then the attack was a violation of US sovereignty (specifically of US territorial integrity) and so constituted a breach of international law.
And is the manual helpful?
Barnsby asked Buckner for an operator's perspective: is this Manual helpful to her as a commander? Buckner thought it was, but indirectly. She referred to Schmitt's characterization of the Manual as having been written not for her, but for the people who advise her.
Corn, as US Cyber Command's Staff Judge Advocate, said, "I'm on record praising the Manual. It's an extremely helpful compilation of the substantive legal framework you'd look to map to legal considerations. These aren't easily answered questions. They're not clear, yet. The lines between law and policy are blurred. It's helpful to see this as a summary of how people out there are thinking. If you're contemplating something outside the manual, you can see where the criticism would come from, and temper your advice in those terms.
Sources of law and regions of unclarity.
"We wanted to spark the sort of discussion we're having over sovereignty, due diligence, and so on," Schmitt said. "I hope it's just the first stage in the conversation. Law is crafted out of state practice and opinio juris. We hope this causes states to set our their international law positions, and that as this develops, we'll see a critical mass of state opinions that will morph into rules of the game."
"Russia and China look for grey areas and operate there precisely because they're grey," Schmitt said, "and because when you operate against law-abiding adversaries, you hobble the opposition. We hesitate to operate in grey areas because of our commitment to the international rule of law. States need to clarify international law to leverage it to shut down, to a certain extent, their opposition."
Corn stressed the importance of recognizing operational realities. "The grey zone concept is something strategists have been developing for some years. It's descriptive of the environment. It's not exclusively legal. It's characteristic of states, principally revisionist states, to push into the grey zone up to the known red lines. China's artificial islands are a good non-cyber example. Cyber is primed for grey zone activity." You can't, Corn said, quoting former Department of Justice national security lead John Carlin, firewall your way out of this problem. There are states that see this as an attractive, lucrative way of holding you at risk and advancing their interests aggressively. This zone below clear warfare is where the law is struggling.
Principles of proportionality and (again) sovereignty.
To questions from the audience about countering grey zone activity, Schmitt looked to the principle of proportionality. "Proportionality is an area where the law would benefit from some clarity," he said. It's used in human rights law, the law of countermeasures (an action that would be unlawful except when done in response to another state's unlawful activity), the law of self-defense, and the law of armed conflict (when conducting targeted operations the expected harm to civilians can't be excessive with respect to military advantage). "In every case the law is a bit grey. To the extent we can operationalize proportionality, that would be good, because we will always seek to be well within the proportionate response."
All discussion of effective law seems to hinge on the possibility of imposing consequences. A questioner from the audience said that, given the difficulty we have in establishing domestic laws around cybersecurity, how can we enforce international law in this area, or show that there are going to be consequences? How do laws become effective without consequences? Corn answered with a reminder that law isn't simply a matter of exacting consequences. "We don't follow the law simply because of consequences. We follow it out of obligations, setting standards, and so on."
Corn also observed that there can be something counterintuitive about imposing consequences as one moves up the scale, from retortions to countermeasures to use of force. "Proportionality applies at each stage, but it also expands at each stage. If you raise the bar up to the use of force standard, you open the bar to escalation. If you lower the bar, you open up the possibility of countermeasures."
And Vuhal noted that in fact it was possible to impose consequences on individuals for violations of law in cyberspace. "You're saying you can indict them but you can't put them in prison because they're in China, but you're still imposing personal consequences on them—they can't travel to the US, nor to any country that's likely to extradite them to the US." Domestic and international law aren't perfect, but they're better than nothing.
Schmitt agreed, and returned to the earlier discussion of the principle of sovereignty. "We have to be careful about saying everything's really hard in cyber. In some respects—countermeasures—it's easier to take measures against an offending party. To Gary's comment, I want to explain that there wasn't an expert who thought this was an issue, that the rule of sovereignty cannot be breached. This notion that there's no rule of sovereignty that's been breached, that you've got to look for something else they've done wrong, is unhelpful. The US wielded disproportionate hard power during the Cold War. It was good for us to keep the threshold for tripping into unlawfulness high. Who was going to take us on? The problem here in cyber is that lots of countries are going to take us on. We should embrace this lower threshold because we want to use the law to deter other states that now can do us harm. My position comes at the cost of limiting the type of operations we can conduct abroad. We shouldn't fear the rule of sovereignty because we can use the rule of sovereignty."
Corn had no doubt that clarity can be very helpful. "But that approach [Schmitt's view] veers into policy, as opposed to what the law actually is. It doesn't take into account the fact of the Internet itself. You now have threat actors already conducting operations not just from their own infrastructure. Such operations are ubiquitously spread across the Internet, implicating the territory of a multitude of states.
Schmitt responded by arguing that the issues Corn raised could be handled with due diligence: "It's just like going after terrorists with drones." Corn insisted on a difference. "If you pull out due diligence, you're remedyless against a lot of the threat actors out there. Due diligence has other baggage that goes with it. All these just demonstrate that they don't align perfectly in this area." Vahul took the last word in response to the question about consequences: "If there is no rule of sovereignty, and the red lines are at non-intervention and use of force, then many things we wish not to be permissible would become permissible."
Attribution, retaliation, and NATO's Article 5.
A questioner asked whether any state officially accused another state of violating international law by cyber means, and of doing so in a way that would trigger a response. How would that affect development of customary international law? Vahul couldn't think of any case in which this had occurred, but said that rules don't need a breach to be established. Schmitt distinguished factual from legal attribution. The biggest problem with attribution in law is establishing a level of certainty. The level in state action is reasonableness. Aside from the factual work that needs to be done in any particular case, we need to do the work of "operationalizing" the concept of reasonableness or degree of certainty. Bucker pointed out that there was a calculus to attribution, since attribution may affect future operations. And, of course, as Corn observed, "if you're going to make the attribution you'd better be able to back it up."
On NATO's Article 5, the commitment to mutual defense, Vahul closed by saying she thought the threshold for invoking Article 5 would remain high—significant injury, damage or destruction. Or, if the damage were to be non-kinetic, it would have to be very serious damage, effectively "bringing a state to its knees."
"The Control and Capabilities Test: How a New Legal Regime is Shaping Attribution in Cyberspace."
Peter Stockburger, an international law expert at Dentons, delivered a paper later that day in which he addressed some of the same issues the panel on Tallinn 2.0 took up. He argued that there was a new rule emerging for state attribution, replacing the old rule of effective control. He discussed these developments in the light of both the United Nations Charter and both editions of the Tallinn Manual.
Summarizing the relevant articles of the UN Charter that seem to bear most directly on operations in cyberspace, Stockburger noted that Article 2 declares a state responsible for a wrongful act, when the act is both attributable to a state and is in fact wrongful. Article 4 declares acts of state organs attributable to a state, and Article 5 attributes acts of third parties empowered by a state to that state as well. Article 8 takes up third parties that are neither organs of a state nor groups that have been given authority by a state. Such parties' actions can be attributed to a state if those parties are acting under the instruction, direction, or control of a state. This is the effective control test.
Consider the International Court of Justice (ICJ) case of Nicaragua vs. the United States of America. The ICJ held that even if the US funded the Contras, and gave them manuals, that didn't constitute direction, and so the US couldn't be held accountable for the Contras' activities. There is an overall control test that applies to highly hierarchical groups, but the ICJ found against this, reaffirming the effective control test.
The Tallinn Manual 1.0 endorsed Article 8 and the effective control test. Tallinn 2.0 also endorses the effective control test. Thus the lex generalis for attribution in cyberspace.
But Stockburger thought that lex specialis was also forming, developing progressively since 2014. States, he said, are no longer relying exclusively on the effective control test. They're using instead the control and capabilities test. This alternative test, which has found particular application to attribution of cyber activities, doesn't emphasize instruction or direction, but rather evidence of control, similar malware, language, IP address, state interest, etc.
2014 saw the first state attribution, when the FBI formally attributed the Sony hack to North Korea. Under international law, the FBI binds the US in its public statements. The 2016 indictment of Iranian nationals also was founded on the control and capabilities test.
In 2016, the Grizzly Steppe attribution of election hacking to the Russian state alluded to a series of judgments, and in this attribution the US Government is changing state practice. Ukraine's government has made a similar public attribution of NotPetya to Russia, again based on control and capabilities.
Stockburger pointed out that the new test makes attribution easier, but it also comes with a great deal of potential risk because of tactics like false flags and spoofing. There's also still a lack of state practice. "Until states step up and make law, there will be ambiguity." He closed by advising the audience to watch two cases that will inform developing law: inquiry into influence operations during the French elections, and investigation into APT32, the OceanLotus threat group operating against corporate targets in Southeast Asia.