Offensive Cyberattacks Must Balance Lawful Deterrence & The Risks Of Escalation

A government contemplating the use of offensive cyber operations will need to consider the precedents – and the lack of them.

The UK has been working towards building its offensive cyber capability since 2013, as part of its approach to deter adversaries and to deny them opportunities to attack, both in cyberspace and in the physical world. But reports that the government considered an offensive cyberattack as part of its response to the poisoning of Sergei Skripal and his daughter in Salisbury on 4 March have brought the issue of whether and when offensive cyber operations would be justified under international law to the fore.

Under international law, a state is entitled to take countermeasures (opens in new window) for breaches of international law against it that are attributable to another state. Countermeasures are acts by an injured state against another state that would ordinarily be unlawful but are legally justified as responses to the offending state’s unlawful activity. The use of countermeasures is subject to strict conditions. The purpose is to encourage the offending state to stop its unlawful activity, rather than to punish. The countermeasures must also be proportionate. And they must not use force.

There is no reason why cyber operations may not in principle be used as a countermeasure in response to a breach of international law. There is nothing in their nature to make an exception for them. (This is confirmed in the Tallinn Manuals 1.0 (opens in new window) and 2.0 (opens in new window) on the application of international law to cyber operations in war and peacetime drafted by a group of leading academic experts.) The state of existing international law is not changed by the fact that the UN group whose purpose is to agree common understandings on the international law applicable to cyber operations failed to reach agreement on this issue.  

Still, the UK is likely to be cautious about launching a cyber offensive as a retaliatory measure. When the UK announced its plan to develop offensive cyber capacities in 2013, as part of its deterrence strategy, it was the first country to publicly declare this. The announcement raised eyebrows in some quarters, primarily on the basis that it will make it difficult to argue against the use of offensive cyber capabilities by other states, such as China and Russia. Moreover, using offensive cyber in retaliation for an alleged breach of international law could set a precedent in how states react to similar situations in the future.

The Intelligence and Security Committee of the UK parliament recognized in its last annual report the importance of offensive cyber capabilities for the UK’s national security. At the same time, the committee highlighted the importance of seeking international consensus on the rules of engagement, stating that it would support the government’s efforts in that regard. The UK’s National Cyber Security Centre, a part of GCHQ, has likewise underlined that the use of offensive cyber capabilities will be deployed ‘in accordance with national and international law’.

Use of force
It is very unlikely that any UK cyber operation launched against another state in retaliation for a breach of international law would reach the threshold of a ‘use of force’ in international law terms. If it did, the only way that such an operation could be justified under international law would be on the basis of self-defence under Article 51 of the UN Charter. In order to be able to rely on such a justification, the breach in question would have had to constitute an ‘armed attack’ on the UK; the UK would also need to meet the other conditions of the law of self-defence, including the requirements of necessity and proportionality.

The threshold for what constitutes an armed attack is high. In the Salisbury attack, as some commentators have argued, an attack on an individual, while constituting a domestic crime and an interference in the sovereign affairs of another state, as well as potentially having implications under international human rights law, is unlikely to reach the threshold of armed attack.

Another factor the UK will consider in relation to cyber offensives is that even if the UK did not intend a retaliatory cyber operation to constitute a use of force, there is a risk that any such operation could be construed by the targeted state, or even the international community at large, as a use of force, leading to escalation of the situation.

Could the destruction of data, the hacking of websites or the periodic interruption of online services constitute a breach of the prohibition on the use of force? The threshold for what constitutes a ‘use of force’ in terms of cyber operations is much less clear than in relation to traditional, kinetic weaponry. This is another area where the UN group have failed to reach agreement, with rejection of the proposed text by a few states (including Cuba, Russia and China) leaving the process in deadlock. A report from Microsoft has urged (opens in new window) states to exercise self-restraint in the conduct of offensive operations, pointing out that the ultimate aim of rules guiding offensive action should be  to reduce conflict between states.

International law applies to cyber operations as it does to other state activities. But further international agreement on the way the law applies to these operations would be highly desirable. Meanwhile, the UK will be mindful of the fact that any use of offensive cyberattacks runs the risk of setting a precedent and escalating what is already likely to be a politically fragile situation. 

Chatham House:       By Joyce Hakmeh & Harriet Moynihan     Image: Nick Youngson

You Might Also Read: 

The Promise & Peril Of Trump’s Cyber Strategy:

UN Chief Urges Global Rules For Cyber Warfare:

 

« Vigilante Hackers Attack Nation States
Google Chairman Unaware Of Pentagon AI Project »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Acumin Recruitment

Acumin Recruitment

Acumin is an internationally established Cyber Security recruitment specialist.

OCERT

OCERT

OCERT is the National Computer Emergency Response Team of Oman.

Rubicon Workflow Solutions

Rubicon Workflow Solutions

Rubicon is a leading provider of managed IT support and strategic services, specialising in creative and mixed platform environments.

Core Security

Core Security

Core Security provides threat-aware identity, access, authentication and vulnerability management solutions.

VigiTrust

VigiTrust

VigiTrust is a security firm specializing in cloud based eLearning programs, security compliance portals and providing security assessments.

Circadence

Circadence

Circadence offer the only fully immersive, AI-powered, patent-pending, proprietary cybersecurity training platform in the market today.

Council for Information & Communication Technologies (CTIC)

Council for Information & Communication Technologies (CTIC)

CTIC was set up to address specific issues in the field of ICT relevant to the implementation of electronic government.

Cybeats Technologies

Cybeats Technologies

Cybeats delivers an integrated security platform designed to secure and protect high-valued connected devices.

NetNordic Group

NetNordic Group

NetNordic is a Nordic system integrator focusing on solutions and services in the area of networking, smart data centers, cybersecurity, and unified communication.

CatchProbe Intelligence Technologies

CatchProbe Intelligence Technologies

CatchProbe provides actionable web intelligence, OSINT, deception systems, threat intelligence, and digital crime analytics solutions and products through an AI-Driven intelligence platform.

TRM Labs

TRM Labs

TRM enables risk management and compliance for a global community of financial institutions, cryptocurrency businesses and government agencies.

Trustack

Trustack

Trustack services cover connectivity, infrastructure services, security, unified comms, agile working and more. Our team of consultants deliver customised solutions tailored to your needs.

Barquin Solutions

Barquin Solutions

Barquin Solutions is a full-service information technology consulting firm focused on supporting U.S. federal government agencies and their partners.

Couno

Couno

Couno is a trusted provider of IT support services throughout the UK and Europe.

SecureCyber

SecureCyber

Secure Cyber Defense offers industry-leading technology and managed detection and response solutions.

The Aerospace Corporation

The Aerospace Corporation

The Aerospace Corporation is playing a key role in advancing space cybersecurity through innovative prototypes that can quickly detect and mitigate cyber threats.