PC Probe: Counting the consequences of cyberattacks
How are governments allowed to respond to cyberattacks? James O’Malley talks to the legal experts
How are governments allowed to respond to cyberattacks? James O’Malley speaks to the legal experts.
When President Biden met President Putin in Geneva in June, he reminded his Russian counterpart of something important: that the US has “significant cyber capability”. With a nudge and a wink, he was warning Russia that enough was enough.
This subtle shift in tone is unsurprising. From Russia’s alleged interference in the 2016 election, to the attack last year on networking firm SolarWinds, which compromised software used by the US and UK governments, the US has long been a target of foreign hacking capabilities.
But what can Biden do? And, more importantly, what is he – or any other world leader – allowed to do if attacked?
Pointing fingers
“If country A flies its aeroplane into the airspace of country B without permission, it’s violated its sovereignty,” said Michael Schmitt, professor of public international law at the University of Reading and a scholar at the US military college West Point. He’s also the editor of the Tallinn Manual, an influential study that aims to figure out the laws of cyber conflict, which since the first edition was published in 2013 has been considered the authoritative text in this area of legal study.
“But what if it doesn’t do that? What if it conducts cyber operations? Under what circumstances would we call that a violation of sovereignty? We’re taking those rules that were not meant for cyber. And we’re saying, in international law, rules apply to new phenomena and new technologies,” he said.
The big problem is that cyber is more complicated than the physical world. That means the first question to ask after a cyberattack is does it even count as an attack at all?
“When does a remotely conducted cyber operation violate sovereignty?” asked Schmitt. “You hurt someone? Sure. You physically damaged cyber infrastructure? Sure. What if you simply caused the system to work in a manner it wasn’t intended to work? What if you’re simply sitting inside their system with malware that you haven’t activated yet?
“What if you’re engaging in espionage, and it’s widespread espionage where you’re just scooping up mountains of data on people?”
Unfortunately, there’s no clear definition of what constitutes an attack. However, even if the lawyers do agree an attack has occurred, and a response is justified, there’s another important step: figuring out who is responsible. This is something that international legal scholars call “attribution”.
“To factually attribute conduct in [cyberspace], it’s very tricky because of the use of VPNs and stuff like that,” said Dr Talita Dias, a research fellow at the Oxford Institute for Ethics, Law and Armed Conflict. “It’s difficult forensically to identify the source of an attack.”
Another potential complication is not just the technical attribution, but also the question of whether or not
hackers are working on behalf of a country or are just based in a given state.
“[Imagine] you have an attack coming from Italy,” said Dr Antonio Coco from the University of Essex’s School of Law. “You have no evidence that Italy has sponsored or directed this attack at all, but you do have evidence that the attack comes from a hacker group that operates from Italy. If you can demonstrate that Italy has failed to exercise due diligence in preventing that attack to hurt people or entities in the UK, then the responsibility of Italy may be implicated.”
Consequently, even if the hackers can’t be directly linked to their host country’s government, it could still be lawful to respond with countermeasures thanks to this due diligence principle, which is known as the “rule of sovereignty”.
Fighting back
“Countermeasures” is the legal term for responding to an attack, and this appears to be what Biden had in mind when he spoke to Putin. “That is clearly what Biden is threatening,” said Schmitt. “I think he’s saying ‘no, no, no, the gloves are off now. If you keep this up, then we’re going to start shooting back.’”
However, the options the US – or any other country that has fallen victim to a cyberattack – has are limited. “International law does not recognise tit for tat, ever,” said Schmitt. “There’s no international law rule that says retaliation is lawful. International law is designed to return a situation to one of peacefulness. So, the striking back must always be to make the other side stop.”
The law might not be enough to prevent retaliatory attacks, though, because the cost of responding is relatively cheap. “The risk of escalation with cyber confrontations is always high,” said Coco. “When you have two countries confronting each other in the offline world, usually they do it with their armies. This is costly. It’s resource intensive, and it’s also very difficult to conceal. In cyber dealings, it’s very cost effective to empower hacker groups.”
Retaliation can also lead to de-escalation, too. “If you can hack back and shut the system down, great, but
I think Biden is saying ‘no, no, no, the gloves are off now. If you keep this up, then we’re going to start shooting back’
sometimes you may not get in that system,” said Schmitt. “So what you’re trying to do is impose a bit of pain on the other side, where the other side says, ‘I don’t know if this is worth it anymore. Let’s knock this off.’”
This, for example, is why we might be seeing an increase in states getting hold of cryptocurrency caches. “If we can’t [hack back], let’s block the resources that these malicious actors are using,” said Dias.
“So, in the context of ransomware, can we seize, for example, crypto assets? We could do that as a proportionate response.”
Sparking real confrontations
That’s not to say countermeasures have to be “cyber” in nature. Under the current legal understanding, other types of responses are legal.
Schmitt gives the example of Estonia. In 2007, the country came under sustained cyberattack from Russia, which launched DDoS attacks, ping floods, and other attacks on a range of Estonian websites and organisations, including the country’s Parliament. It’s this experience, and the questions over how the Tallinn government should respond, that gave the Tallinn Manual its name.
The problem is that Estonia is a tiny country of 1.3 million people that lacks Russia’s cyber resources. But in Schmitt’s view, under international law it would be legal for the country to respond another way, such as by blocking Russian ships from passing through its territorial waters in the Baltic Sea – a crucial strategic pinch point for Russia.
“Estonia could impose pressure by doing something that would normally be illegal… but now it’s okay to get the other side to knock it off,” said Schmitt.
Schmitt thinks that in extreme circumstances, it could even be lawful for a country to respond to a cyberattack using military force, if that is the only countermeasure available. These cyber conflicts could eventually have very serious consequences.