Last week it was reported that it appeared that a Russian state-sponsored hacker group was potentially gearing up for an attack on Ukraine. Due to the work of numerous security researchers and the US Federal Bureau of Investigation (FBI) the attackers' plans were foiled somewhat. Such events will inevitably raise questions on how to sufficiently deal with such threats. These discussions, as with discussions surrounding conventional warfare, can tread some morally murky water. A UK official has sought to clarify that country’s position with regard to responding to cyber warfare. In a speech issued by Air Marshall Phil Osbourne look to present a possible solution for his countries defense. The position that could be adopted according to Air Marshall Osbourne should be, “…to understand first, to decide first, and then if necessary to act first, across the physical and virtual, to secure decision advantage and then operational advantage, seeking swift yet controlled exploitation of vulnerabilities and the proactive denial of opportunities.”
While one would expect someone with a career in the military to speak those words to a room full intelligence and foreign affairs experts, it is the reason such words need to be uttered that is perhaps more interesting. According to Air Marshall Collins what was traditionally seen as peace, war, and the transition to war have changed vastly in recent history. As a result of increased competition between certain states confrontations follows. While these confrontations may not result in traditional warfare, states are using both traditional modes of exerting power, trade deals and proxy support in wars, with information tools. Cyber warfare has become an integral part of these “information tools”. Collins lists the following examples as proof of this hybrid approach, “unprecedented industrial espionage activity against the UK and Allies; private security contractors being used in high-end expeditionary warfare in Syria; cyber-attacks against national infrastructure and reputation across Europe; information operations that attempt to pervert political process and frustrate the rule of law; and attempted assassinations.” To that, you can add the thwarted events reported on earlier as well as Stuxnet and the Ukrainian Power Grid Attack to support his position.
One of the main fears of the UK top brass is the perceived ease at which cyber warfare, described in Collin’s speech as “non-kinetic” warfare rather euphemistically, can turn into kinetic warfare or what may be seen as conventional warfare. Collins believes that such threat cannot be considered a leap of the imagination and is obvious enough to warrant developing the capabilities to counter such a threat. He is of the opinion that as it stands the UK is capable of such a defense, however, he feels there will be a need to expand and modernize more conventional capabilities in addition to adding new information capabilities. Such an expansion may become of even more importance in an age of machine learning. This is where such planned defenses tread the morality line as combatting such a threat will involve both responding to cyber-attacks and if necessary launch preemptive cyber-attacks effectively in self-defense. Such action will inevitably open arguments similar to those for or against the use of drones in targeting perceived high-value targets. In Collins’ speech, he dealt with the potential threat and a potential defense; he never dealt with the implications of such actions relating to international law.
Cyber Warfare and International Law
The implications surrounding cyber warfare and international law fell to another. In a separate speech delivered by Attorney General Jeremy Wright, QC MP looked to tackle this difficult topic. Wright’s speech is seen as the first time the UK Governments position has set out for the public record. In summary, he accepts that international cyber law is a difficult area for a variety of reasons. Despite it being a difficult area to legislate for let alone police Wright feels that cyberspace is an integral part of the rules-based international order. Due to the important nature of cyberspace, the UK has adopted the view that there are boundaries of acceptable state behavior in cyberspace, as there are for any other matter be they trade or diplomacy. These boundaries would inevitably mean that hostile actors cannot take action by cyber means without consequence whether during peace or war. This implies that states that are targeted by hostile cyber operations have the right to respond to those operations in accordance with the options lawfully available to them and that in this as in all things, all states are equal before the law.
The question of what states may do legally and what would be considered illegal has been a favorite of legal academics. Wright in his speech sets out what the UK government perceives as both legal and illegal actions. In his speech, he defines a cyber-attack against the critical infrastructure that can or does lead to loss of life as an unlawful use of force that can trigger a non-cyber response. In his words this position is stated as,
“The UK considers it is clear that cyber operations that result in or present an imminent threat of, death and destruction on an equivalent scale to an armed attack will give rise to an inherent right to take action in self-defense, as recognized in Article 51 of the UN Charter.”
While this position is by no means novel with other states taking a similar approach in defining what is considered a cyber-attack and a legitimate response to such an attack.
Wright goes further to state that a cyber-attack that does not threaten life cannot legitimately result in the state acting in self-defense that could potentially result in loss of life. Or put more simply a cyber-attack that results in loss of life can legally permit military action. However, the reality is not so black and white. Attributing responsibility to cyber-attacks is notoriously difficult, sometimes impossible. In sidestepping this issue the UK government feels that,
“There is no legal obligation requiring a state to publicly disclose the underlying information on which its decision to attribute hostile activity is based, or to publicly attribute hostile cyber activity that it has suffered in all circumstances,”
Such statements can certainly be read as a warning to other states that the UK is more than willing to strike without warning.