Armed Attacks in Cyberspace: A Reply to Admiral Stavridis

Last week, Admiral (Ret.) James Stavridis, former NATO Supreme Allied Commander and presently Dean of the Fletcher School of Law and Diplomacy at Tufts University, correctly expressed concern that “unlike sea, air and land, much of cyberspace’s doctrine remains undefined, to include even the most fundamental of terms. We do not even have an agreed-upon definition of what constitutes an attack in cyberspace—and it is high time we did.” His article, appearing in Signal, identified a key real-world shortcoming of international law as applied to cyber activities. The lawyers cannot state with any certainty when a cyber operation trips over Article 51’s “armed attack” threshold thereby allowing the victim State to respond with either kinetic or cyber force. His frustration is palpable and rightly so. A former consumer of legal advice at the highest level of international security affairs, he understands first-hand the dilemma of being expected to effectively handle a sensitive situation without a clear rule book. As senior officers tend to do, he identified a problem and has set out to solve it. In fact, an unofficial rule book exists. The Tallinn Manual on the International Law Applicable to Cyber Warfare is the product of a three-year NATO Cooperative Cyber Defense Center of Excellence sponsored effort to offer a restatement of law, by a group of international legal scholars and cyber technical experts (the “International Group of Experts,” IGE). The Manual sets forth the logic behind its 95 rules and, in an extensive accompanying commentary, highlights those issues that remain unsettled in the law. Unfortunately, the Admiral is dissatisfied with the answer provided by the IGE. He notes in his article that

One prominent definition comes from the Tallinn Manual on the International Law Applicable to Cyber Warfare. The widely read but nonbinding document calls a cyber attack “a cyber operation . . . that is reasonably expected to cause injury or death to persons or damage or destruction to objects.” The Tallinn Manual is an impressive body of work, but its definition of cyber attack is far too simplistic to account for the nuances of cyberwarfare. It sets a dangerously high threshold for a domain with comparatively low barriers to entry.

Admiral Stavridis went on to offer a definition of his own for consideration: “[a] cyber attack is the deliberate projection of cyberforce resulting in kinetic or nonkinetic consequences that threaten or otherwise destabilize national security; harm economic interests; create political or cultural instability; or hurt individuals, devices or systems.” His is a concerning sentiment because decision-makers like the Admiral and their lawyers are precisely the Tallinn Manual’s target audience. It is especially troubling because his opinion deservedly carries enormous weight in the policy and operational communities . . . and he badly misconstrued the position of the IGE.  As director of the project, allow me to clarify the position of the experts on the issue of armed attack. First, the Tallinn Manual definition cited by the Admiral Stavridis is the wrong one.  Set forth in Rule 30, it refers to the term “attack” as it applies in a different body of law (international humanitarian law, IHL), rather than the law he is discussing in his article (jus ad bellum, the law governing the use of force). The former deals with how operations may be conducted once States are already involved in an armed conflict; the latter sets forth the rules regarding when States may resort to force in the first place (especially self-defense). Therefore, the Tallinn Manual definition he criticizes has nothing to do with the subject he raises. Instead, the IGE examined the meaning of “armed attack,” which is a jus ad bellum notion, in Rule 13. The Admiral may be forgiven, for conflation of the IHL term “attack” and the jus ad bellum term “armed attack” is common even among lawyers. But, albeit understandable, the error must be corrected since such conflation can have tactical, operational and strategic level consequences. Second, a clear understanding of the Tallinn Manual position is essential for policy makers because the definition is of critical importance; if a cyber operation qualifies as an “armed attack,” the victim State may respond with its own use of force, whether kinetic or cyber in nature. In fact, the Tallinn Manual never limited the definition of cyber armed attacks to those that cause physical damage or injury. Instead, Rule 13 provides that whether a cyber operation is an armed attack depends on its “scale and effects,” a notion borrowed the International Court of Justice’s Nicaragua judgment (on a related point). Members of the IGE agreed that “any use of force that injures or kills persons or damages or destroys property would satisfy the scale and effects requirement” and that “acts of cyber intelligence gathering and cyber theft, as well as cyber operations that involve brief or periodic interruption of non-essential cyber services, do not qualify as armed attacks.” But the commentary goes on to openly acknowledge that, “[t]he case of actions that do not result in injury, death, damage, or destruction, but which otherwise have extensive negative effects, is unsettled.” I happen to believe there are non-destructive or injurious cyber operations that could rise to the level of an armed attack, such as a massive cyber assault on the nation’s economic system. But no consensus could be reached within the IGE as to precisely where the line is to be drawn. Third, I am unconvinced Admiral Stavridis’ proposed definition adds any clarity to the subject. The devil is in the details. For example, it is unimaginable that the international community would treat any cyber operation having economic consequences or creating cultural instability (however that vague term may be defined) as an armed attack allowing the victim State to respond with force. That is simply not, has never been and will never be the law. Any definition that fails to set a clear threshold of economic harm is overly broad, inconsistent with the current law and not horribly useful to those who have to deal with the nuances of individual cyber operations. Finally, the Admiral’s comments seem to reflect a general sense that if the cyber operation does not rise to the level of an armed attack, the victim State is left defenseless. On the contrary, international law already addresses many of the concerns he and others have expressed. For example, the principle of non-intervention is on point with respect to certain operations that might create political or cultural instability, while the law of State responsibility governs when States are legally responsible for their cyber operations or those conducted at their behest. And States have a wide array of legal tools to respond to malicious cyber operations—retorsion, countermeasures, the plea of necessity, self-defense and, in the event of armed conflict, armed force that is permissible under IHL.  For instance, in the Sony case, sanctions (a form of retorsion) are clearly appropriate and certain U.S. cyber operations against North Korea would have been lawful as countermeasures. But the Admiral makes a fair point. It is unclear where the armed attack line lies. Therefore, I fully agree with him that it is incumbent on States to consider their position on the matter. And, in my view, the time to stake out a position is now, rather than when a harmful cyber operations are buffeting U.S. cyber infrastructure and activities.

***

Professor Michael N. Schmitt is a Fellow at the Harvard Law School Program on International Law and Armed Conflict (PILAC), and the Charles H. Stockton Professor and Director of the Stockton Center for the Study of International Law at the United States Naval War College in Newport, Rhode Island. He is also Professor of Public International Law at Exeter University in the United Kingdom, Senior Fellow at the NATO Cyber Defence Centre of Excellence, and Editor-in-Chief of International Law Studies.

Professor Schmitt was previously Professor of International Law at Durham University, Dean of the George C. Marshall European Center for Security Studies in Germany, and General Editor of the Yearbook of International Humanitarian Law. Before joining the Marshall Center, Professor Schmitt served 20 years in the United States Air Force as a judge advocate specializing in operational and international law. His military service includes deployments to Operation Provide Comfort and Operation Northern Watch.