31 December 2017

How Should International Law Treat Cyberattacks like WannaCry?

By Michael J. Adams, Megan Reiss

North Korea was behind the infamous WannaCry cyberattack, asserted homeland security adviser Thomas P. Bossert in a Dec. 18 op-ed in the Wall Street Journal that echoes the CIA’s previously classified assessment and British government statements. And the United States, Bossert insists, will hold bad actors accountable—in this case, for the billions of dollars in harm caused by this widespread and indiscriminate ransomware attack. He cites as precedent the U.S. government actions taken against Russian, Iranian and Chinese hackers.

But curiously, other than publicly attributing WannaCry to North Korea, Bossert does not identify any specific measures of accountability being taken against Pyongyang, either by the United States or by the United Kingdom (where the WannaCry attack knocked a substantial number of National Health Service hospitals offline). Instead, Bossert suggests the U.S. government’s focus is to “call out bad behavior” and that this effort to name and shame North Korea is part of the Trump administration’s “maximum pressure strategy.”

Certainly, we do not read too much into Bossert’s failure to mention responsive cyber activities that might be undertaken as covert, clandestine or low-visibility operations, especially considering that successful actions would generally go undetected. But publicly highlighting the type of response a bad actor might expect after launching a cyberattack would give the administration an opportunity to bolster cyber deterrence. Moreover, the administration may be missing the chance to clarify the law of armed conflict, principles of non-intervention and self-determination, and other areas of international law, as they relate to cyberattacks.

The administration instead seems most interested in leveraging “partners, industry and allied governments” to hold the North Korean regime accountable. In his editorial, Bossert focuses on getting private sector actors on board with the pressure campaign when he explains:

We call on the private sector to increase its accountability in the cyber realm by taking actions that deny North Korea and other bad actors the ability to launch reckless and destructive cyberattacks. We applaud Microsoft and others for acting on their own initiative last week, without any direction or participation by the U.S., to disrupt the activities of North Korean leaders.

Bossert appears to reference recent defensive cyber actions by Microsoft that, along with action by Facebook, eliminated certain accounts or profiles believed to be used by North Korean hackers and cleaned up some users’ cyber hygiene by taking steps such as cleaning its customers’ infected computers and strengthening security against malware. But such actions, while perhaps necessary and undoubtedly appropriate under the circumstances, seem a far cry from the robust cyber-deterrence actions for which some in Congress have been clamoring.

This constitutes a curious turn in the tale of WannaCry and other recent cyberattacks, such as Petya ransomware and NotPetya malware. It also marks a shift, more broadly, in our understanding of the roles, responsibilities and authorities of states and non-state actors in cyberspace.

Bossert steers clear of politically charged terms likeact of war” and stops short of declaring that the WannaCry cyberattack was a use of force or armed attack or otherwise would justify the U.S. government to respond with countermeasures. But it was only a short time ago that we saw deliberations within the United States—as well as within NATO and the EU—over whether some cyberattacks should be categorized as constituting acts of war (in political terms) or armed attacks or uses of force (under international law).

For instance, the U.S. government recently published the hearing transcript and questions for the record for the Sept. 13, 2016 Senate Armed Services Committee (SASC) hearing on "Cybersecurity, Encryption and United States National Security Matters." Included was the Pentagon’s response to Sen. Richard Blumenthal (D-Conn.) on cyber acts of war, detailing the general framework to identify and respond to a cyberattack that meets the threshold of an armed attack under international law. While the Pentagon’s response is in no way new (Harold Koh, the former top legal adviser to the State Department, outlined principles governing cyber warfare in 2012), when coupled with the lack of clarity in Bossert’s editorial, the responses highlight the ongoing need for additional analysis on cyber law questions.

We have repeatedly witnessed confusion among American politicians and policymakers regarding what legal thresholds are applicable to cyberattacks, confusion that does not exist when discussing the average kinetic attack. Setting aside the lack of consensus regarding the applicability of particular international law rules and principles applicable to cyberspace activities (for instance, the principle of sovereigntyand rules regarding civilian objects and military objectives), our leading concern is that U.S. elected officials and their appointees sometimes appear ill-informed about, or unencumbered by, the use of force and armed attack thresholds established in Articles 2(4) and 51 of the U.N. Charter, respectively. There is such dissatisfaction with international law in this area—its constraints and uncertainty being foremost among the complaints—that leading political authorities tend to discount the utility of international law in favor of political discourse centered on even looser concepts.

This was at least part of the challenge presented in the September 2016 Senate Armed Services Committee’s cybersecurity hearing. In the Pentagon’s attempt to reconcile the political question of what constitutes an act of war with international legal standards and previous public pronouncements by the Obama administration, it explained that a cyberattack that meets the threshold of an “act of war” would include a “significant loss of life, injury, destruction of critical infrastructure, or serious economic impact.” This response built on Koh’s 2012 speech, which illustrated the point with extreme examples, such as describing a line of code that would cause a dam to release floodwaters in a way comparable to the “significant” destruction of a bomb destroying a dam.

But neither the Defense Department’s definition nor Koh’s speech that guided it were particularly satisfying in the context of addressing questions about Russian interference—the most pressing matter before the SASC in that hearing. In particular, Blumenthal and Sen. John McCain (R-Ariz.) took serious issue with the assessment by Adm. Mike Rogers, the director of the National Security Agency, that Russian cyberattacks on the electoral system would have to have produced more significant impact or physical destruction to constitute an armed attack.

In his remarks, Rogers pointed to the U.N. Charter’s Article 51 standard. This was an important maneuver, and it was consistent with the approach generally taken by the U.S. government to analyze cyber operations with an eye toward applicable international legal standards. However, the U.S. interpretation of the U.N. Charter may not always work to its advantage.

In particular, one challenge that the U.S. faces in the cyber domain is that the United States, unlike some states, does not recognize a gap between a “use of force” under Article 2(4) or an “armed attack” under Article 51. In implementing this interpretation, the United States holds that Article 2(4) is not implicated in the cyber domain, absent some physical manifestation involving, as Koh explained, a “significant” destructive effect. For example, in the case of Russian cyberattacks on the electoral system, since the attacks did not cause physical harm and attain requisite “scale and effects,” they did not trigger Article 2(4).

Other states and scholars take a different approach that broadens the scope of attacks that would trigger the applicability of the law of armed conflict. This competing interpretation offers that certain incidents not rising to the level of an armed attack under Article 51 may constitute a use of force under Article 2(4), even in the absence of significant physical damage. Under this more expansive interpretation, the 2014 Sony Pictures hack, WannaCry, Petya and NotPetya attacks all would be more likely to be viewed as a violation of Article 2(4). Where tripping the 2(4) threshold might provide legal justification for countermeasures, the more expansive interpretation could be a significant development. We are not aware of any ongoing efforts by the U.S. government to reconsider this approach, nor does Bossert’s op-ed indicate any such reassessment.

To be sure, such a change would need to be considered carefully, particularly in relation to the potential ramifications of reciprocal conduct. For example, other states may view U.S. intelligence-collection activities as violating Article 2(4) and state responsibility, thus affording those states legal justification to respond with countermeasures of their own.

The more significant problem is that, while the U.S. government has been proactive in making public statements about the applicability of international law to cyberspace operations and seeking to hold other states and nonstate actors accountable for their cyber operations, it has done very little publicly to advance the dialogue about what specific types of cyberattacks violate international law—other than providing extreme, self-evident examples. Everyone can agree that a cyberattack that destroys the power grid would be equivalent to an armed attack—but we are still far from having substantial public agreement as to what actions short of the extreme would constitute an armed attack.

Bossert’s op-ed, for example, speaks in terms of “bad behavior.” Such language may be good enough for an op-ed, but these vague, undefined terms continue to fill altogether too many of the cyber discussions in the White House, Congress and much of the inter-agency process. Similarly, discussions of the indiscriminate nature of WannaCry have not led to clarity as to whether an indiscriminate cyberattack causing significant financial harm would invoke, for instance, NATO’s Article 5 agreement to invoke collective self-defense. We need more precise public conversations about specific actions and whether the nature, scope, magnitude and perhaps intent of such operations violate Articles 2(4), 51 or both.

We should applaud the U.S. government for publicly attributing the WannaCry attack and for calling on states and the private sector to enhance future collaboration in addressing cyberattacks. Bossert’s discussion of WannaCry moves the ball forward with regard to attribution and some measure of accountability. But as in so many past instances, we are left to wonder what the full implications of this cyberattack may have been as a matter of law. Do the billions of dollars in harm caused by WannaCry constitute “serious economic impact?” Would this damage have permitted a proportional response beyond public shaming? He does not offer an assessment of what the U.S. government considers the attack to have been, in legal or political terms.

Of course, we would not expect the U.S. government to announce unilaterally that any cyberattack above some specific monetary threshold would violate Articles 2(4) or 51, nor would this be a wise strategy with regard to developing an effective deterrent. But we should hope that public attribution is followed with more detailed analysis and public statements by governmental officials (including non-U.S. officials) about how these sorts of attacks should be treated under international law—including, if true, that international law may not currently regulate much of this conduct, particularly at the sub-use of force level.

Within the national security and international legal communities, it is time to move past the vagaries of diplomacy and into more concrete discussions of interpretations of law and countermeasures. Both decision-makers in the Pentagon and those members of Congress tasked with oversight deserve clear guidance into how the United States should respond to cyberattacks.

No comments: