Offensive Cyberattacks Must Balance Lawful Deterrence & The Risks Of Escalation

Uploaded on 2018-04-19 in GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Law

A government contemplating the use of offensive cyber operations will need to consider the precedents – and the lack of them.

The UK has been working towards building its offensive cyber capability since 2013, as part of its approach to deter adversaries and to deny them opportunities to attack, both in cyberspace and in the physical world. But reports that the government considered an offensive cyberattack as part of its response to the poisoning of Sergei Skripal and his daughter in Salisbury on 4 March have brought the issue of whether and when offensive cyber operations would be justified under international law to the fore.

Under international law, a state is entitled to take countermeasures (opens in new window) for breaches of international law against it that are attributable to another state. Countermeasures are acts by an injured state against another state that would ordinarily be unlawful but are legally justified as responses to the offending state’s unlawful activity. The use of countermeasures is subject to strict conditions. The purpose is to encourage the offending state to stop its unlawful activity, rather than to punish. The countermeasures must also be proportionate. And they must not use force.

There is no reason why cyber operations may not in principle be used as a countermeasure in response to a breach of international law. There is nothing in their nature to make an exception for them. (This is confirmed in the Tallinn Manuals 1.0 (opens in new window) and 2.0 (opens in new window) on the application of international law to cyber operations in war and peacetime drafted by a group of leading academic experts.) The state of existing international law is not changed by the fact that the UN group whose purpose is to agree common understandings on the international law applicable to cyber operations failed to reach agreement on this issue.  

Still, the UK is likely to be cautious about launching a cyber offensive as a retaliatory measure. When the UK announced its plan to develop offensive cyber capacities in 2013, as part of its deterrence strategy, it was the first country to publicly declare this. The announcement raised eyebrows in some quarters, primarily on the basis that it will make it difficult to argue against the use of offensive cyber capabilities by other states, such as China and Russia. Moreover, using offensive cyber in retaliation for an alleged breach of international law could set a precedent in how states react to similar situations in the future.

The Intelligence and Security Committee of the UK parliament recognized in its last annual report the importance of offensive cyber capabilities for the UK’s national security. At the same time, the committee highlighted the importance of seeking international consensus on the rules of engagement, stating that it would support the government’s efforts in that regard. The UK’s National Cyber Security Centre, a part of GCHQ, has likewise underlined that the use of offensive cyber capabilities will be deployed ‘in accordance with national and international law’.

Use of force
It is very unlikely that any UK cyber operation launched against another state in retaliation for a breach of international law would reach the threshold of a ‘use of force’ in international law terms. If it did, the only way that such an operation could be justified under international law would be on the basis of self-defence under Article 51 of the UN Charter. In order to be able to rely on such a justification, the breach in question would have had to constitute an ‘armed attack’ on the UK; the UK would also need to meet the other conditions of the law of self-defence, including the requirements of necessity and proportionality.

The threshold for what constitutes an armed attack is high. In the Salisbury attack, as some commentators have argued, an attack on an individual, while constituting a domestic crime and an interference in the sovereign affairs of another state, as well as potentially having implications under international human rights law, is unlikely to reach the threshold of armed attack.

Another factor the UK will consider in relation to cyber offensives is that even if the UK did not intend a retaliatory cyber operation to constitute a use of force, there is a risk that any such operation could be construed by the targeted state, or even the international community at large, as a use of force, leading to escalation of the situation.

Could the destruction of data, the hacking of websites or the periodic interruption of online services constitute a breach of the prohibition on the use of force? The threshold for what constitutes a ‘use of force’ in terms of cyber operations is much less clear than in relation to traditional, kinetic weaponry. This is another area where the UN group have failed to reach agreement, with rejection of the proposed text by a few states (including Cuba, Russia and China) leaving the process in deadlock. A report from Microsoft has urged (opens in new window) states to exercise self-restraint in the conduct of offensive operations, pointing out that the ultimate aim of rules guiding offensive action should be  to reduce conflict between states.

International law applies to cyber operations as it does to other state activities. But further international agreement on the way the law applies to these operations would be highly desirable. Meanwhile, the UK will be mindful of the fact that any use of offensive cyberattacks runs the risk of setting a precedent and escalating what is already likely to be a politically fragile situation. 

Chatham House:       By Joyce Hakmeh & Harriet Moynihan     Image: Nick Youngson

You Might Also Read: 

The Promise & Peril Of Trump’s Cyber Strategy:

UN Chief Urges Global Rules For Cyber Warfare:

 

« Vigilante Hackers Attack Nation States
Google Chairman Unaware Of Pentagon AI Project »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Mielabelo

Mielabelo

Belgian consulting firm providing services in the security and compliance of information systems and IT service management.

Lakeside Software

Lakeside Software

Lakeside Software is how organizations with large, complex IT environments can finally get visibility across their entire digital estates and see how to do more with less.

360Logica

360Logica

360Logica is a software testing company offering numerous kinds of testing services to improve the quality and performance of your software and IT systems.

ClearDATA

ClearDATA

The ClearDATA Managed Cloud protects sensitive healthcare data using purpose-built DevOps automation, compliance and security safeguards, and healthcare expertise.

Gita Technologies

Gita Technologies

Gita Technologies works to create integrated solutions to the thorniest problems in the field of intelligence and cyber today.

Glilot Capital Partners

Glilot Capital Partners

Glilot Capital Partners is an Israeli seed and early-stage VC. We specialize in businesses which disrupt enterprise technology, mainly in the fields of AI, big data and cybersecurity.

Bitcrack

Bitcrack

Bitcrack Cyber Security helps your company understand and defend your threat landscape using our key experience and skills in cybersecurity, threat mitigation and risk.

SuperCom

SuperCom

SuperCom are a global secure solutions integrator and technology provider for governments and other consumers facing organizations around the world.

Activu

Activu

Activu makes any information visible, collaborative, and proactive for people tasked with monitoring critical operations including network security.

Myota

Myota

Myota intelligently equips each file to be resilient and achieve Zero Trust-grade protection. Withstand ransomware and data breach attacks. Reduce data restoration time and effort.

Execweb

Execweb

Execweb are a cybersecurity executive network, comprised of 400+ security practitioners who work at Fortune 500 and SME companies.

SMARTEST

SMARTEST

SMARTEST is a world-class IT solutions provider active in the most challenging and demanding industries such as the oil and gas industries.

Druva

Druva

Druva is the industry’s leading SaaS platform for data resiliency, and the only vendor to ensure data protection across the most common data risks backed by a $10m guarantee.

MiC Talent Solutions

MiC Talent Solutions

MiC Talent Solutions provides recruiting, direct hire, augmented staff, and professional service contracting solutions for organizations searching for minority cybersecurity talent.

CyberMontana

CyberMontana

CyberMontana is a statewide initiative providing cybersecurity awareness, training, and workforce development for businesses and residents of Montana.

Sansec Technology

Sansec Technology

Sansec Technology is dedicated to the research and development of cryptographic products and solutions for cyber security.