Offensive Cyberattacks Must Balance Lawful Deterrence & The Risks Of Escalation

Uploaded on 2018-04-19 in GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Law

A government contemplating the use of offensive cyber operations will need to consider the precedents – and the lack of them.

The UK has been working towards building its offensive cyber capability since 2013, as part of its approach to deter adversaries and to deny them opportunities to attack, both in cyberspace and in the physical world. But reports that the government considered an offensive cyberattack as part of its response to the poisoning of Sergei Skripal and his daughter in Salisbury on 4 March have brought the issue of whether and when offensive cyber operations would be justified under international law to the fore.

Under international law, a state is entitled to take countermeasures (opens in new window) for breaches of international law against it that are attributable to another state. Countermeasures are acts by an injured state against another state that would ordinarily be unlawful but are legally justified as responses to the offending state’s unlawful activity. The use of countermeasures is subject to strict conditions. The purpose is to encourage the offending state to stop its unlawful activity, rather than to punish. The countermeasures must also be proportionate. And they must not use force.

There is no reason why cyber operations may not in principle be used as a countermeasure in response to a breach of international law. There is nothing in their nature to make an exception for them. (This is confirmed in the Tallinn Manuals 1.0 (opens in new window) and 2.0 (opens in new window) on the application of international law to cyber operations in war and peacetime drafted by a group of leading academic experts.) The state of existing international law is not changed by the fact that the UN group whose purpose is to agree common understandings on the international law applicable to cyber operations failed to reach agreement on this issue.  

Still, the UK is likely to be cautious about launching a cyber offensive as a retaliatory measure. When the UK announced its plan to develop offensive cyber capacities in 2013, as part of its deterrence strategy, it was the first country to publicly declare this. The announcement raised eyebrows in some quarters, primarily on the basis that it will make it difficult to argue against the use of offensive cyber capabilities by other states, such as China and Russia. Moreover, using offensive cyber in retaliation for an alleged breach of international law could set a precedent in how states react to similar situations in the future.

The Intelligence and Security Committee of the UK parliament recognized in its last annual report the importance of offensive cyber capabilities for the UK’s national security. At the same time, the committee highlighted the importance of seeking international consensus on the rules of engagement, stating that it would support the government’s efforts in that regard. The UK’s National Cyber Security Centre, a part of GCHQ, has likewise underlined that the use of offensive cyber capabilities will be deployed ‘in accordance with national and international law’.

Use of force
It is very unlikely that any UK cyber operation launched against another state in retaliation for a breach of international law would reach the threshold of a ‘use of force’ in international law terms. If it did, the only way that such an operation could be justified under international law would be on the basis of self-defence under Article 51 of the UN Charter. In order to be able to rely on such a justification, the breach in question would have had to constitute an ‘armed attack’ on the UK; the UK would also need to meet the other conditions of the law of self-defence, including the requirements of necessity and proportionality.

The threshold for what constitutes an armed attack is high. In the Salisbury attack, as some commentators have argued, an attack on an individual, while constituting a domestic crime and an interference in the sovereign affairs of another state, as well as potentially having implications under international human rights law, is unlikely to reach the threshold of armed attack.

Another factor the UK will consider in relation to cyber offensives is that even if the UK did not intend a retaliatory cyber operation to constitute a use of force, there is a risk that any such operation could be construed by the targeted state, or even the international community at large, as a use of force, leading to escalation of the situation.

Could the destruction of data, the hacking of websites or the periodic interruption of online services constitute a breach of the prohibition on the use of force? The threshold for what constitutes a ‘use of force’ in terms of cyber operations is much less clear than in relation to traditional, kinetic weaponry. This is another area where the UN group have failed to reach agreement, with rejection of the proposed text by a few states (including Cuba, Russia and China) leaving the process in deadlock. A report from Microsoft has urged (opens in new window) states to exercise self-restraint in the conduct of offensive operations, pointing out that the ultimate aim of rules guiding offensive action should be  to reduce conflict between states.

International law applies to cyber operations as it does to other state activities. But further international agreement on the way the law applies to these operations would be highly desirable. Meanwhile, the UK will be mindful of the fact that any use of offensive cyberattacks runs the risk of setting a precedent and escalating what is already likely to be a politically fragile situation. 

Chatham House:       By Joyce Hakmeh & Harriet Moynihan     Image: Nick Youngson

You Might Also Read: 

The Promise & Peril Of Trump’s Cyber Strategy:

UN Chief Urges Global Rules For Cyber Warfare:

 

« Vigilante Hackers Attack Nation States
Google Chairman Unaware Of Pentagon AI Project »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Tresorit

Tresorit

Tresorit helps teams to collaborate securely and easily by protecting their data with end-to-end encryption.

Solana Networks

Solana Networks

Solana Networks is a specialist in IT networking and security.

AnubisNetworks

AnubisNetworks

AnubisNetworks is one of Europe’s leading threat intelligence and email security suppliers.

Blancco Technology Group

Blancco Technology Group

Blancco Technology Group is a leading global provider of mobile device diagnostics and secure data erasure solutions.

ShiftLeft

ShiftLeft

ShiftLeft is a continuous application security platform, purpose-built for the modern software development life cycle.

Aspisec

Aspisec

Aspisec is a cybersecurity company specialized in Firmware Security and Critical Infrastructure Protection.

TalaTek

TalaTek

TalaTek is a full-service risk management firm providing expert services in risk management, cybersecurity, and compliance.

Liquid Intelligent Technologies

Liquid Intelligent Technologies

Liquid Intelligent Technologies is a leading communications solutions provider across Africa, providing reliable connectivity, hosting, co-location, and digital services including cyber security.

CY4GATE

CY4GATE

CY4GATE was conceived to design, develop and produce technologies and products that are able to meet the most stringent and modern requirements of Cyber Intelligence & Cyber Security.

SecureOps

SecureOps

SecureOps is transforming the Managed Security Service Provider industry by providing tailored cybersecurity solutions proven to protect organizations from cyberattacks.

Punk Security

Punk Security

Punk Security are specialists in integrating security into DevOps pipelines, enabling rapid and secure development.

Sourcepass

Sourcepass

Sourcepass is an IT consulting company that focuses on providing expert IT services, cloud computing solutions, cybersecurity services, website, and application development.

Securonix

Securonix

Securonix delivers a next generation security analytics and operations management platform for the modern era of big data and advanced cyber threats.

Axient

Axient

Axient advances defense and civilian missions from aerospace to cyberspace with multi-domain test and analysis, mission engineering and operations, and advanced technologies.

Oxylabs

Oxylabs

Oxylabs is the largest datacenter proxy pool in the market, with over 2 million proxies. Designed for high-traffic, fast web data gathering while ensuring superior performance.

Effectiv

Effectiv

Effectiv is a real-time fraud & risk management platform for Financial Institutions and Fintechs.