Legal ambiguity in cyberspace might be alluring for some states in the short term, but it is decidedly a poor operational or strategic choice, Robert McLaughlin and Michael Schmitt write.
The apparent failure of the United Nations Group of Governmental Experts (GGE) to reach consensus on the rules of behaviour of states in cyberspace speaks volumes.
After years of meetings, extensive inter-state discussion, and the issuance of two key reports expressing consensus that international law applies to cyber operations, the GGE process, which included Australia, came to a rather sudden halt in June. The failure to agree upon the text of a draft report relating to international legal issues was on the back of a series of interlinked and, it must be said, artificially enhanced hurdles.
On the face of it, Russia, China, Cuba, and others rejected the draft GGE report on the basis of reinvigorated concerns about how cyber interacts with a range of legal concepts and schemes. One issue was the extent to which ‘countermeasures’ (as that term is understood in international law) are available in response to hostile cyber operations. That is, how do we identify when and how a state may respond to a hostile cyber operation with its own cyber capabilities, which would be unlawful but for the fact that its purpose is to induce the attacker to desist? In fairness, the issue of “hacking back” is complicated, and as such disagreement within the GGE on the matter was unsurprising.
But the other two impediments to consensus were inexplicable, at least from the international law perspective.
The first involves the “inherent” right of national self-defence, enshrined in both the UN Charter and customary international law. States in opposition objected to a direct reference to the right in the draft report.
Yet the previous GGE reports had acknowledged the applicability of the UN Charter to cyber operations, a conclusion that could only have encompassed Article 51’s right of self-defence. And self-defence in cyberspace has been the subject of nuanced deliberations in the international law community — the issue was no longer the right’s existence, but rather the threshold at which it kicked in for a state facing hostile cyber-attacks. In the end, even the mention of self-defence in the report proved a bridge too far for certain states.
The second sticking point was the proposed inclusion of a direct reference to international humanitarian law. For an international lawyer, the notion that cyber operations during an armed conflict would not be subject to the limitations and restrictions of humanitarian law — such as the prohibitions on attacking civilians and civilian objects — is absurd. However, this concern was seriously misguided and led to a curiously incorrect legal conclusion: that acknowledging humanitarian law’s applicability would somehow justify the cyber operations during such conflicts.
Leaving aside the conspicuous fact that China and Russia have developed a substantial military capability to engage in cyber operations, the objection, if taken at face value, distorts the humanitarian purpose of the law beyond recognition. This development troublingly signals not merely a pause in the drive for interpretive consensus, it is a regressive step backwards.
An issue that has emerged outside the GGE process, but one that is creating further normative uncertainty, is whether a state’s “sovereignty” protects it from certain hostile cyber operations. The prevailing view has been that it does; the question is instead “which ones?”
Recently, however, a view emerged in certain (and certainly not all) quarters of the US and UK governments, and perhaps elsewhere, that sovereignty in itself has no protective effect; it is merely a principle that gives rise to other prohibitions — on intervention into another state’s internal affairs, for example.
This is a far narrower approach than that which had heretofore been widely accepted in the international law community. Absent a prohibition on the violation of another state’s sovereignty, the vast majority of cyber operations that are regularly directed against states would not violate international law.
The hesitancy to openly accept these long-accepted principles and rules of international law in the cyber context is, in fact, merely a manifestation of a deeper malaise in state discussions around the international regulation of cyber operations. Indeed, these issues are effectively weapons deployed in the service of a more ambitious agenda — the retention (and even creation) of a “useful” level of ambiguity in the application of law to cyber operations.
Why would certain states want to come to “all stop” rather than proceed at “half ahead” on building consensus as to the normative architecture of cyberspace?
The answer is that maintaining a level of ambiguity fosters operational and strategic flexibility.
A basic function of rules is the articulation of identifiable lines in the sand – conduct on this side of the line is permissible, while conduct on the other is not. When a state steps across that line, it may justifiably be condemned by other states on the basis of law. Being held to account in a formal or informal forum, or even in global public opinion, for a breach of “the law” is a significantly more problematic consequence management predicament for states than having their conduct labelled unethical or politically ill-advised, albeit not necessarily illegal. But accusing a state of unlawful conduct is ineffectual if there is no recognised line in the legal sand to back up the allegation.
Thus, states wishing to retain relative freedom of action in cyberspace have reasons to embrace uncertainty.
Similarly, definitive lines in the sand empower states targeted by unlawful cyber operations. If the attacker crosses the line, then a range of quite robust (and otherwise unlawful) responsive measures (including hack-backs) becomes available. Absent an identifiable line, however, uncertainty will pervade, and eventually hobble, the targeted state’s deliberations as to whether it may employ a counter-measure. Exploiting such “grey zones” in the law creates a conundrum for the adversary. In this classic lawfare tactic, the target state inevitably hesitates to respond out of concern that its countermeasure might be labelled the first unlawful act in the back and forth cyber exchange. In this dynamic, operational benefits result from preserving (and artificially creating) these legal grey zones.
What gets lost in this assessment is that legal clarity – including even lightly drawn lines in the sand – is also a highly useful attribute. In the cost-benefit analysis that must infuse both operational and strategic legal assessments, clarity wins out over ambiguity.
First, clarity enhances deterrence. It allows a potential attacking state to better assess the cost-benefit balance of a hostile cyber operation by making the associated risk more discernible — cross the line and the adversary gains a legally unimpeachable right to respond with a robust counter-measure. In addition to clarifying the nature of the potential response to a cyber-attack, the likelihood of response by the target state increases, for it will be seen by the international community as a lawful response to an unlawful cyber operation, thereby diminishing the possibility of blowback following its execution by the target state.
Second, clarity lowers the risk of escalation by reducing the potential for mischaracterisation of the act. When ambiguity prevails, there is always a risk that a target state of a cyber operation will characterise it as unlawful when the launching state believed it to be an unfriendly, but legal, action. Should the target state respond aggressively, as it would be entitled in the face of an unlawful act, the launching state is liable to view the response as unwarranted.
Clarity, therefore, engenders stability in cyberspace.
We are not so naïve as to believe that cyber operations directed at other states never contribute to a state’s national security. The operational and strategic flexibility resident in normative ambiguity is appealing, for good reason, to certain states and to agencies charged with conducting such operations.
Yet, on balance, clear normative firewalls enhance the defence of a state’s national interests and contribute to its national security to a greater extent than uncertainty. And for states committed to the rule of law, there should be a rebuttable presumption against such uncertainty. More broadly, cyberspace renders states highly interdependent. This being so, clarity contributes to global cyberspace stability.