Offensive Cyberattacks Must Balance Lawful Deterrence & The Risks Of Escalation

A government contemplating the use of offensive cyber operations will need to consider the precedents – and the lack of them.

The UK has been working towards building its offensive cyber capability since 2013, as part of its approach to deter adversaries and to deny them opportunities to attack, both in cyberspace and in the physical world. But reports that the government considered an offensive cyberattack as part of its response to the poisoning of Sergei Skripal and his daughter in Salisbury on 4 March have brought the issue of whether and when offensive cyber operations would be justified under international law to the fore.

Under international law, a state is entitled to take countermeasures (opens in new window) for breaches of international law against it that are attributable to another state. Countermeasures are acts by an injured state against another state that would ordinarily be unlawful but are legally justified as responses to the offending state’s unlawful activity. The use of countermeasures is subject to strict conditions. The purpose is to encourage the offending state to stop its unlawful activity, rather than to punish. The countermeasures must also be proportionate. And they must not use force.

There is no reason why cyber operations may not in principle be used as a countermeasure in response to a breach of international law. There is nothing in their nature to make an exception for them. (This is confirmed in the Tallinn Manuals 1.0 (opens in new window) and 2.0 (opens in new window) on the application of international law to cyber operations in war and peacetime drafted by a group of leading academic experts.) The state of existing international law is not changed by the fact that the UN group whose purpose is to agree common understandings on the international law applicable to cyber operations failed to reach agreement on this issue.  

Still, the UK is likely to be cautious about launching a cyber offensive as a retaliatory measure. When the UK announced its plan to develop offensive cyber capacities in 2013, as part of its deterrence strategy, it was the first country to publicly declare this. The announcement raised eyebrows in some quarters, primarily on the basis that it will make it difficult to argue against the use of offensive cyber capabilities by other states, such as China and Russia. Moreover, using offensive cyber in retaliation for an alleged breach of international law could set a precedent in how states react to similar situations in the future.

The Intelligence and Security Committee of the UK parliament recognized in its last annual report the importance of offensive cyber capabilities for the UK’s national security. At the same time, the committee highlighted the importance of seeking international consensus on the rules of engagement, stating that it would support the government’s efforts in that regard. The UK’s National Cyber Security Centre, a part of GCHQ, has likewise underlined that the use of offensive cyber capabilities will be deployed ‘in accordance with national and international law’.

Use of force
It is very unlikely that any UK cyber operation launched against another state in retaliation for a breach of international law would reach the threshold of a ‘use of force’ in international law terms. If it did, the only way that such an operation could be justified under international law would be on the basis of self-defence under Article 51 of the UN Charter. In order to be able to rely on such a justification, the breach in question would have had to constitute an ‘armed attack’ on the UK; the UK would also need to meet the other conditions of the law of self-defence, including the requirements of necessity and proportionality.

The threshold for what constitutes an armed attack is high. In the Salisbury attack, as some commentators have argued, an attack on an individual, while constituting a domestic crime and an interference in the sovereign affairs of another state, as well as potentially having implications under international human rights law, is unlikely to reach the threshold of armed attack.

Another factor the UK will consider in relation to cyber offensives is that even if the UK did not intend a retaliatory cyber operation to constitute a use of force, there is a risk that any such operation could be construed by the targeted state, or even the international community at large, as a use of force, leading to escalation of the situation.

Could the destruction of data, the hacking of websites or the periodic interruption of online services constitute a breach of the prohibition on the use of force? The threshold for what constitutes a ‘use of force’ in terms of cyber operations is much less clear than in relation to traditional, kinetic weaponry. This is another area where the UN group have failed to reach agreement, with rejection of the proposed text by a few states (including Cuba, Russia and China) leaving the process in deadlock. A report from Microsoft has urged (opens in new window) states to exercise self-restraint in the conduct of offensive operations, pointing out that the ultimate aim of rules guiding offensive action should be  to reduce conflict between states.

International law applies to cyber operations as it does to other state activities. But further international agreement on the way the law applies to these operations would be highly desirable. Meanwhile, the UK will be mindful of the fact that any use of offensive cyberattacks runs the risk of setting a precedent and escalating what is already likely to be a politically fragile situation. 

Chatham House:       By Joyce Hakmeh & Harriet Moynihan     Image: Nick Youngson

You Might Also Read: 

The Promise & Peril Of Trump’s Cyber Strategy:

UN Chief Urges Global Rules For Cyber Warfare:

 

« Vigilante Hackers Attack Nation States
Google Chairman Unaware Of Pentagon AI Project »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Cyber adAPT

Cyber adAPT

Cyber adAPT offers a leading network threat detection platform (NTD) to the enterprise and ODM/OEM markets.

Cognni

Cognni

Cognni (formerly Shieldox) will make your InfoSec think like a human, right out of the box, so you can focus on the bigger picture, keeping the information flow safe.

ShadowDragon

ShadowDragon

ShadowDragon develops digital tools that simplify the complexities of modern investigations that involve multiple online environments and technologies.

MASS

MASS

MASS provides world-class capabilities in electronic warfare operational support, cyber security, information management, support to military operations and law enforcement.

Temasoft

Temasoft

TEMASOFT is a software company focused on developing security and infrastructure products.

Monegasque Digital Security Agency (AMSN)

Monegasque Digital Security Agency (AMSN)

AMSN is the national authority in charge of the security of information systems in Monaco.

DarkLight

DarkLight

DarkLight is a cybersecurity platform that mimics human thinking at scale to build resiliency to Advanced Persistent Threats.

Westminster Insight - Cyber Security Conference

Westminster Insight - Cyber Security Conference

Join colleagues this December for Westminster Insight’s Cyber Security Conference, as you’ll assess how new technologies such as AI can secure your organisation against future threats.

CyberCX

CyberCX

CyberCX provides services from strategic consulting, security testing and training to world-class managed services and engineering solutions.

Coviant Software

Coviant Software

Coviant Software delivers secure managed file transfer (MFT) software that integrates smoothly and easily with business processes.

Quantum eMotion (QeM)

Quantum eMotion (QeM)

Quantum eMotion is a Montreal-based advanced developer leading the way towards a new generation of quantum-safe encryption for the quantum computing age.

FutureRange

FutureRange

Specialising in IT Managed Services, Cybersecurity and Digital Transformation, FutureRange experts provide professional IT services for clients throughout Ireland and beyond.

White Knight Labs

White Knight Labs

White Knight Labs is a cyber security consultancy that specializes in cybersecurity training.

Tracer

Tracer

Tracer (formerly Appdetex) is a next-generation brand protection solution. It constantly finds, analyzes, and stops brand abuse across Web2 and Web3 digital channels.

Nuke From Orbit

Nuke From Orbit

Nuke's mission is to put you back in control of your digital identity when your smartphone gets stolen.

UltraViolet Cyber

UltraViolet Cyber

UltraViolet is an industry leading tech-enabled managed security services company.