Below is a condensed version of the statement I have prepared for my testimony tomorrow before the Senate Armed Services Committee on the international law dimensions of U.S. cyber strategy and policy (link to the hearing is here). The full version, which also includes some extra detail and sourcing in the footnotes, is available here.
Chairman McCain, Ranking Member Reed, members of the committee, and staff. I appreciate the opportunity to address this critical topic.
In discussing cyber policy and deterrence, I have been asked specifically to address some of the international law questions most relevant to cyber threats and U.S. strategy. These include whether and when a cyber-attack amounts to an “act of war,” or, more precisely, an “armed attack” triggering a right of self-defense. I would also like to raise the issue of how the international legal principle of “sovereignty” could apply to cyber activities, including to the United States’ own cyber-operations.
These are important questions because they affect how the United States may defend itself against cyber-attacks and what kinds of cyber-actions the United States may itself take. They are difficult questions because they involve applying long-standing international rules, developed in some cases over centuries, to new and rapidly changing technologies and forms of warfare.
To state upfront my main points: International law in this area is not settled. There is, however, ample room within existing international law to support a strong cyber strategy, including a powerful deterrent. The answers to many international law questions discussed below depend on specific, case-by-case facts, and are likely to be highly contested for a long time to come. This means that the United States should continue to exercise leadership in advancing interpretations that support its strategic interests, including its own operational needs, bearing in mind that we also seek rules that will effectively constrain the behaviors of others.
Turning to some specific international legal questions, first, it is sometimes asked whether a cyber-attack could amount to an “act of war.” More broadly, how are cyber-attacks classified or categorized under international law? When should a cyber-attack be treated legally the same way we would treat a ballistic missile attack, for example, versus an act of espionage, or an act of economic competition? Or should actions carried out in cyberspace be treated altogether differently, with entirely new rules? One reason this matters is that certain broad categories of hostile actions are prohibited under well-established international law. Another reason is that how a hostile action is categorized under international law is relevant to what types and levels of defensive responses are permitted. That is, different legal categories of hostile acts correspond to different legal options for countering them.
The term “act of war” retains political meaning, usually to signify the hostile intent and magnitude of threat posed by an adversary’s actions. As a technical legal matter, this term has been replaced by provisions of the United Nations Charter. That central, global treaty created after World War II prohibits the use of “force” by states against each other, and it affirms that states have a right of self-defense against “armed attacks.” Historically, those provisions had generally been interpreted to apply to acts of physical violence. Questions arise today, though, as to how these provisions should be interpreted to account for the grave harms that can be inflicted through hacking and malicious code, rather than bombs and bullets.
A more legally precise way to frame the “act of war” question, then, is whether a cyber-attack could violate the UN Charter’s prohibitions of force or could amount to an armed attack. Even if a cyber-attack does not rise to those thresholds—take, for example, a hack of government systems that results in the theft of large amounts of sensitive data—the United States would still have a broad menu of options for responding to them. And even cyber-attacks that do not amount to force or armed attack may nevertheless violate other international law rules, some of which I discuss below. However, a cyber-attack that does cross the force or armed attack threshold would trigger legally an even wider set of responsive options, which notably could include military force or cyber-actions that would themselves otherwise constitute prohibited force.
Similar questions arise in interpreting mutual defense treaties, such as the North Atlantic Treaty, to account for cyber-threats. Those commitments include collective responses to “attacks,” which historically meant kinetic military attacks but might be invoked in response to attacks carried out in cyberspace.
In recent years the United States government has definitively taken the public position that some cyber-attacks, even though carried out through digital means rather than kinetic violence, could cross the UN Charter’s legal thresholds of “force” or “armed attack.” In taking that position, it has said that these determinations, in a given case, should consider many factors including the nature and magnitude of injury to people and the damage to property. In explaining publicly this position, the U.S. government usually provides only quite extreme scenarios, such as inducing a nuclear meltdown or causing aircraft to crash by interfering with control systems.
This approach to applying by analogy well-established international legal rules to new technologies is not the only reasonable interpretation, but it is generally sensible and can accommodate a strong cyber strategy. It is likely better than alternatives such as declaring the UN Charter rules irrelevant to cyber or trying to negotiate new international legal rules from scratch.
However, the U.S. government’s approach to date in interpreting the UN Charter for cyber-attacks, at least as explained publicly, may seem unsatisfactory to policymakers and planners. It leaves a lot of gray areas (though even in the more familiar world of physical armed force there are many legal gray areas). It is difficult to draw clear legal lines in advance when the formula calls for weighing many factors. And it leaves open how to treat legally some cyber-attacks that do not directly and immediately cause physical injuries or destruction but that nevertheless cause massive harm—take, for instance, a major outage of banking and financial services—or that weaken our defense capability—such as disrupting the functionality of military early warning systems.
In terms of policy, it may therefore be useful to draw sharper “red lines” than the United States has done to date. The United States has been pushing for, and should push for, certain norms of expected behavior in cyberspace (which may not be formally required), and similarly it should continue to discuss or negotiate with rivals some specific mutual restraints on cyber-attacks on particular types of targets, along with confidence-building measures.
In terms of international law, however, I do not expect that precise answers to these questions about “force” and “armed attack” will, or can, all get worked out quickly. The scenarios for cyber-attacks are very diverse and the processes by which international law develops—much of it through the actions and arguments, counter-actions and counter-arguments of states—are slow. (As I have written elsewhere, several features of cyber-attacks, such as lack of transparency, make incremental legal development through State practice especially difficult to assess.)
Although the “act of war” or, more precisely, “armed attack” question usually attracts more attention, I want to raise for your consideration another relevant international law issue: the meaning of state “sovereignty” in the cyber context. The United States cares deeply about preserving its own sovereignty. I would emphasize also, though, that the meaning of that concept in the cyber context—or how the U.S. government interprets the principle of sovereignty as it applies to digital information and infrastructure—could have significant impact on the offensive and defensive operational options available to the United States. Very similar issues arise with respect to the international legal principle of “neutrality” during armed conflicts.
“Sovereignty” is a well-established principle of international law. In general, it protects each state’s authority and independence within its own territory (and a closely related concept in international law is the principle of “non-intervention”). But sovereignty is not absolute and its precise meaning is fuzzy—even in physical space, let alone cyberspace. Questions could arise as to whether cyber-activities, including U.S. offensive cyber-actions or defensive cyber-measures, that occur in or transit third-countries without their consent might violate their sovereignty. Because of the global interconnectedness of digital systems, including the fact that much data is stored abroad and constantly moving across territorial borders, the answer to such questions could have far-reaching implications for cyber-operations.
We have a strong interest in limiting infiltration and manipulation of our own digital systems but in my view there is not enough evidence of consistent and general practice among states, or a sense of binding legal obligation among states, to conclude that the principle of sovereignty would prohibit cyber-operations just because, for example, some cyber-activities take place within another state, or even have some effects on its cyber-infrastructure, without consent. It may usually be wise to seek that consent from states that “host” digital systems that might be affected or used in cyber-operations, but I am skeptical of legal interpretations of sovereignty that impose extremely strict requirements to obtain it, especially when the effects are minimal.
This is not the setting to discuss operational issues in detail. I expect, though, that such questions about how sovereignty principles apply to cyber-operations, like questions “force” and “armed attack” thresholds, will remain the focus of intense discussion within the U.S. government and with allies and partners abroad.
Existing international law, although not yet settled, is adequate to support a strong cyber-defense strategy, including a powerful deterrent. The answers to many international law questions, such as those I have discussed, depend on specific, case-by-case facts, and are likely to be highly contested for a long time to come. This means that the United States should continue to exercise leadership in advancing interpretations that support its strategic interests, including its own operational needs, bearing in mind that we also seek rules that will effectively constrain the behaviors of others.