Cyber attacks given same UK security threat ranking as earthquakes
According to the 2011-16 UK National Security Strategy, cyber attacks now constitute a ‘tier one’ threat to UK national security.
This puts cyber warfare — that is, deliberate acts of destruction and violence committed against the state via cyber networks — on the same level with international terrorism, inter-state military action, and natural hazards such as earthquakes and mass flooding. In the first quarter of 2017 alone, over a hundred cyber attacks on both public and private institutions worldwide have been reported. This is not to mention the repeated claims by Western governments — including the USA and Italy — that the Russian state has conducted or sponsored hacking of government data.
International law has been slow to catch up. The official response has been to treat cyber attacks as traditional attacks, with the same guiding principles. Only recently, amid calls to deal with Russia’s apparent widespread use of cyber warfare, has NATO updated the Tallinn Manual, its ‘black letter’ advice to states on applying international law to cyber threats. However, the update still relies on using the old laws of warfare to suit very modern methods. No suggestion has been made for a brand new framework to deal with this new threat.
Given how widespread cyber attacks have become, is this too little too late? Or can international law still provide states with a coherent response to cyber warfare? At what point does a hacker become a soldier?
Relations between states are subject to two principles: the prohibition of the ‘use of force’ (Article 2(4) of the UN Charter) and the right to ‘self-defence’ (Article 51). In their current form, these principles have existed since 1948 — since the international community agreed that warfare should be kept to a bare minimum, and formed the UN.
The ‘use of force’ is a broad concept without clear parameters; whether cyber attacks can come under its banner is therefore unclear. The drafters of the UN Charter knew warfare as guns and armies, not strips of code sent from a laptop a thousand miles from the intended target. Article 51 guarantees the right to self-defence against an ‘armed attack’, which is a narrower concept, to which not all ‘uses of force’ will apply. Only an ‘armed attack’ gives a right to self-defence: without this right, an attacking state is left vulnerable to legal and military challenges.
It is therefore vital for any attacked state to know whether the right to self-defence exists when responding. Stretching ‘use of force’ to cover the cyber threat is no easy task, much less ‘armed attack’. This ambiguity leaves states unsure of how they can respond to cyber attacks.
NATO’s response in 2013 was the original Tallinn Manual. The Manual’s general principle is that a cyber attack should be treated as any other attack. According to the Manual, international law applies exactly the same to cyber attacks as it does to any other kind, and thus generates rights and obligations just like any other attack.
However, this formula only works when the cyber attack does the same magnitude of physical damage a military strike would have: economic, social, and psychological damage are explicitly discounted.
The Stuxnet Worm virus, one of the more infamous cyber attacks in recent history, infiltrated the control systems of Iran’s nuclear sites in 2010. It was later revealed that this complex attack was in fact designed by the Bush administration, code-named ‘Operation Olympic Games’. It was part of a much larger planned cyber assault on Iran’s military systems.
A virus of this magnitude could be powerful enough to cripple a state’s military capabilities, especially if that state had invested heavily in high-tech weaponry. Considering the increasing dependence many states have placed on the use of high-tech weapons systems, this poses a clear and present threat. The technology has only become more advanced since then.
So, does a cyber attack like Stuxnet count as an ‘armed attack’? It caused no physical damage — no computers exploded and no one was hurt – and yet it had the potential to disable a whole section of the Iranian military.
Under the Manual, it seems likely that Stuxnet would have come under the heading of a ‘use of force’, at the very least. But how about Russia’s alleged hacking of the US election?
Had Russian soldiers installed Donald Trump as US president by force, or even threatened electors, no one would be arguing the US’ right to a military response. However, cyber warfare is more insidious and harder to trace. By its nature, it is more likely to target exactly the areas exempted by the original Tallinn Manual — economic, social, and psychological factors — and cause no physical harm to people or property.
Does this make cyber warfare less of a threat than bombs? Or does it simply mean that the Tallinn Manual dangerously underestimated a serious threat?
The newest version, Tallinn Manual 2.0, was released in February of this year. This newer edition promised a broader look at cyber warfare as a whole. However, it continues to restrict its scope solely to those attacks falling within the ‘use of force’ threshold. These include attacks against a state’s ‘critical infrastructure’ and ‘command and control operations’. It argues that cyber espionage — including the Russian examples — has no relation to the law of warfare.
However, cyber warfare exists beyond the traditional boundaries of ‘espionage’ and ‘warfare’: a cyber attack is nothing like a physical strike. If we are to treat any attack that does not cause the same damage an army would have as no attack at all, then the law of cyber warfare is all but non-existent.
The rapid pace of development in computer technology leaves the slow-moving international law behind. However, if states are to formulate coherent and effective polices to tackle this threat, the law must keep up. States have to be able to properly defend themselves against attacking states, whatever form those attacks take.
So far, we have no answer to the central question: when does a hacker become a soldier?
Helena Kerkham is a masters students at the University of Manchester, studying public international law. This post was one of the standout entries we received for the BARBRI International Cyber Crime Blogging Prize.
Please bear in mind that the authors of many Legal Cheek Journal pieces are at the beginning of their career. We'd be grateful if you could keep your comments constructive.