Cyber Security and Emerging Threats Touraj Riazi

Filling Gaps: Cyberspace & Grey Zone Dangers

Surmounting Uncertainty

The advent of cyberspace as a domain of warfare has heightened the risk of new conflicts. NATO’s Secretary General Jens Stoltenberg recently declared that “a serious cyberattack could trigger Article 5 of our founding treaty”. The U.S.’s War Manual explicitly affirms that “international law and long-standing international norms are applicable to State behaviour in cyberspace”. However, almost a decade has passed since the U.S. recognized cyberspace as a domain of war and little clarification has since emerged on which norms and rules regulate state conduct in this domain.

Challenges confronting states and policy makers derive not from whether international law applies to states’ conduct in cyberspace—for it certainly does—but how it does so. The nature of both international law and cyberspace (a domain still struggling with definitional issues) compound complications inherent in clarifying how general principles of international law apply to the particularities of cyberspace. A paucity of opinio juris and (known) state operations also imposes limitations on how international law may be applied to cyberspace. It is these shortcomings that permit states capable of cyber operations to exploit gaps between the law—grey zones.

Different Shades of Grey

Numerous senior American policy makers have stated there exists, in effect, “global affirmation of the applicability of existing international law to State activity in cyberspace in both peacetime and during armed conflict”. This means states engaging in cyber operations against another state will undoubtedly be subject to repercussions (including justifiable countermeasures from the target state) should their operations result in large scale physical destruction or otherwise surpass the threshold of the prohibition against the “use of force” against another state.

Similarly, should states violate the principle of non-intervention against another state through cyber means, such as hacking into an electoral voting systems to alter or affect the result, they would stand in violation of already established international law and face countermeasures accordingly. Confusion about the applicability of international law arises when actions in the cyber domain fall below commonly respected thresholds (i.e. physical destruction) with respect to each of these principles. 

An absence of certainty about which actions represent clear violations of a state’s sovereignty, or constitute a violation of the non-intervention principle, gives rise to gray zones which states such as Russia have exploited to their advantage through hostile but non-destructive acts. The most prominent examples include Russia’s DDoS (distributed denial of service) attacks and its interference in numerous democratic elections across the world, most notably in Germany, France, and U.S. Consequently, relevant stakeholders believe that below the threshold of kinetic destruction there is “insufficient evidence to support assertions that the principle of sovereignty operates as a customary international law that regulates states’ action in cyberspace”.

Further complications arise when determining what cyber activities can be said to constitute “armed conflict” or “intervention”. Difficulties surrounding attribution only exacerbate these issues. Do hackers that have conducted hostile actions against a state while being funded by another state result in the state that funded them being subject to legitimate countermeasures for violating the principle of non-intervention? Does Russia’s well known hacking of the Democratic National Committee’s database and subsequent release of e-mails constitute a violation of the same principle? The noticeable absence of any proportional U.S. response suggests not. With respect to the use of force, does the mere training and equipping of forces constitute crossing the force threshold as it did in the well-known court judgment involving Nicaragua and the United States? The Tallinn Manual interestingly designated Stuxnet as an armed attack but did not consider it to constitute a use of force.

A Risky Wait

Major complications clearly arise when assessing the applicability of international law in cyberspace, particularly with respect to actions that fall below the threshold of armed conflict. It is imperative to resolve these complications for their existence permits the exploitation of grey zones by actors who benefit from the ambiguity created by an absence of established norms of conduct in cyber space.

Some attempts can and currently are being made by states and other actors to establish customary international law with respect to cyber space. Efforts by the U.N. Group of Governmental Experts have produced some headway and the Tallinn Manual represents the most comprehensive effort to date to present how international law applies to conduct in cyberspace. As states continue developing cyber capabilities, conducting cyber operations, and forming judgments about what constitutes a norm in cyberspace, grey zones will incrementally be replaced by defined scopes of conduct falling under the purview of international law.

Photo: By NSWC Crane Corporate Communications. Courtesy of U.S. Navy

Disclaimer: Any views or opinions expressed in articles are solely those of the authors and do not necessarily represent the views of the NATO Association of Canada.