Offensive Cyberattacks Must Balance Lawful Deterrence & The Risks Of Escalation

Uploaded on 2018-04-19 in GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Law

A government contemplating the use of offensive cyber operations will need to consider the precedents – and the lack of them.

The UK has been working towards building its offensive cyber capability since 2013, as part of its approach to deter adversaries and to deny them opportunities to attack, both in cyberspace and in the physical world. But reports that the government considered an offensive cyberattack as part of its response to the poisoning of Sergei Skripal and his daughter in Salisbury on 4 March have brought the issue of whether and when offensive cyber operations would be justified under international law to the fore.

Under international law, a state is entitled to take countermeasures (opens in new window) for breaches of international law against it that are attributable to another state. Countermeasures are acts by an injured state against another state that would ordinarily be unlawful but are legally justified as responses to the offending state’s unlawful activity. The use of countermeasures is subject to strict conditions. The purpose is to encourage the offending state to stop its unlawful activity, rather than to punish. The countermeasures must also be proportionate. And they must not use force.

There is no reason why cyber operations may not in principle be used as a countermeasure in response to a breach of international law. There is nothing in their nature to make an exception for them. (This is confirmed in the Tallinn Manuals 1.0 (opens in new window) and 2.0 (opens in new window) on the application of international law to cyber operations in war and peacetime drafted by a group of leading academic experts.) The state of existing international law is not changed by the fact that the UN group whose purpose is to agree common understandings on the international law applicable to cyber operations failed to reach agreement on this issue.  

Still, the UK is likely to be cautious about launching a cyber offensive as a retaliatory measure. When the UK announced its plan to develop offensive cyber capacities in 2013, as part of its deterrence strategy, it was the first country to publicly declare this. The announcement raised eyebrows in some quarters, primarily on the basis that it will make it difficult to argue against the use of offensive cyber capabilities by other states, such as China and Russia. Moreover, using offensive cyber in retaliation for an alleged breach of international law could set a precedent in how states react to similar situations in the future.

The Intelligence and Security Committee of the UK parliament recognized in its last annual report the importance of offensive cyber capabilities for the UK’s national security. At the same time, the committee highlighted the importance of seeking international consensus on the rules of engagement, stating that it would support the government’s efforts in that regard. The UK’s National Cyber Security Centre, a part of GCHQ, has likewise underlined that the use of offensive cyber capabilities will be deployed ‘in accordance with national and international law’.

Use of force
It is very unlikely that any UK cyber operation launched against another state in retaliation for a breach of international law would reach the threshold of a ‘use of force’ in international law terms. If it did, the only way that such an operation could be justified under international law would be on the basis of self-defence under Article 51 of the UN Charter. In order to be able to rely on such a justification, the breach in question would have had to constitute an ‘armed attack’ on the UK; the UK would also need to meet the other conditions of the law of self-defence, including the requirements of necessity and proportionality.

The threshold for what constitutes an armed attack is high. In the Salisbury attack, as some commentators have argued, an attack on an individual, while constituting a domestic crime and an interference in the sovereign affairs of another state, as well as potentially having implications under international human rights law, is unlikely to reach the threshold of armed attack.

Another factor the UK will consider in relation to cyber offensives is that even if the UK did not intend a retaliatory cyber operation to constitute a use of force, there is a risk that any such operation could be construed by the targeted state, or even the international community at large, as a use of force, leading to escalation of the situation.

Could the destruction of data, the hacking of websites or the periodic interruption of online services constitute a breach of the prohibition on the use of force? The threshold for what constitutes a ‘use of force’ in terms of cyber operations is much less clear than in relation to traditional, kinetic weaponry. This is another area where the UN group have failed to reach agreement, with rejection of the proposed text by a few states (including Cuba, Russia and China) leaving the process in deadlock. A report from Microsoft has urged (opens in new window) states to exercise self-restraint in the conduct of offensive operations, pointing out that the ultimate aim of rules guiding offensive action should be  to reduce conflict between states.

International law applies to cyber operations as it does to other state activities. But further international agreement on the way the law applies to these operations would be highly desirable. Meanwhile, the UK will be mindful of the fact that any use of offensive cyberattacks runs the risk of setting a precedent and escalating what is already likely to be a politically fragile situation. 

Chatham House:       By Joyce Hakmeh & Harriet Moynihan     Image: Nick Youngson

You Might Also Read: 

The Promise & Peril Of Trump’s Cyber Strategy:

UN Chief Urges Global Rules For Cyber Warfare:

 

« Vigilante Hackers Attack Nation States
Google Chairman Unaware Of Pentagon AI Project »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

authen2cate

authen2cate

Authen2cate offers a simple way to provide application access with our Identity and Access Management (IAM) solutions for enterprise, small business, and individual customers alike.

ForeScout Technologies

ForeScout Technologies

ForeScout delivers pervasive network security by allowing organisations to continuously monitor & mitigate security exposures & cyberattacks.

Ground Labs

Ground Labs

Ground Labs is a security software company dedicated to making sensitive data discovery products that help organisations prevent sensitive data loss.

Technology Industries of Finland (TIF)

Technology Industries of Finland (TIF)

Technology Industries of Finland (TIF) is a business and labour market lobbying organization that promotes the competitiveness and business conditions of Finland’s most crucial export industry.

Mitchell Sandham

Mitchell Sandham

Mitchell Sandham is an, independent insurance and financial services brokerage. Business products include Cyber/Privacy Liability insurance.

CYBERSEC Forum

CYBERSEC Forum

CYBERSEC Forum is an annual European Public Policy Conference dedicated to strategic aspects of cybersecurity.

Secnology

Secnology

Secnology is dedicated to developing and providing the most powerful and user friendly event analysis and security management solution.

Wallarm

Wallarm

Wallarm is the only unified, best-in-class API Security and WAAP (Web App and API Protection) platform to protect your entire API and web application portfolio.

ESL Bangladesh

ESL Bangladesh

ESL is the Largest IT Infrastructure & Telecom Service Provider in Bangladesh.

Swedish Board for Accreditation and Conformity Assessment (SWEDAC)

Swedish Board for Accreditation and Conformity Assessment (SWEDAC)

SWEDAC is the national accreditation body for Sweden. The directory of members provides details of organisations offering certification services for ISO 27001.

AlertSec

AlertSec

AlertSec Ensure is a U.S. patented technology that allows you to educate, verify and enforce encryption compliance of third-party devices.

Green Radar

Green Radar

Green Radar is a next generation cybersecurity company which combines technologies and services together to deliver Threat Detection for Emails and Deep Threat Analytics and Response.

Mobilicom

Mobilicom

Mobilicom is an end-to-end provider of cybersecurity and smart solutions for drones, robotics & autonomous platforms.

Dapple Security

Dapple Security

Dapple Security is creating cutting edge technology utilizing responsible biometrics that protects people and privacy through a first-of-its-kind passwordless platform.

Tracer

Tracer

Tracer (formerly Appdetex) is a next-generation brand protection solution. It constantly finds, analyzes, and stops brand abuse across Web2 and Web3 digital channels.

Common Good Cyber

Common Good Cyber

Common Good Cyber is an initiative to strengthen global cybersecurity by supporting organisations that deliver core cybersecurity services that protect the Internet as a whole.