Transition 2016

The DNC Hack Demonstrates the Need for Cyber-Specific Deterrents

By Rebecca Crootof
Monday, January 9, 2017, 8:00 AM

Nearly half a year after the DNC hack, the United States finally took action. Citing the role of the Russian government in cyber operations apparently intended to affect the U.S. presidential election, as well as harassment of U.S. officials abroad, the Obama Administration imposed sanctions on five Russian entities (including Russia’s two leading intelligence services) and four individuals, expelled 35 suspected Russian intelligence operatives, shut down two U.S.-based Russian compounds, and released information on Russian cyber practices.

Despite this being the strongest public action the United States has ever taken in response to a cyberoperation, many are bemoaning its inadequacy. The U.S. actions have been derided as “too little, too late,” “confusing and weak,” and “insufficient.”  However, this seemingly insufficient reaction may have been informed by international law; the United States might have responded to the DNC hack as it did because international law did not permit it to do more. Limited state recourse to escalatory self-help measures is a feature of the modern international legal order—but, as the DNC hack, Sony hack, and growing number of similar cyber-enabled interferences demonstrate, in cyberspace this feature may have become a bug. 

Let’s review the legal backdrop. In the wake of two World Wars, states agreed to limit their ability to use military force to settle disputes. The U.N. Charter formalizes this agreement, prohibiting unilateral “uses of force” and vesting the responsibility for policing the world with the Security Council. There was a single carve-out to the general prohibition: states still have the right to use defensive force in response to an “armed attack.” To keep the exception from swallowing the rule, the threshold for an armed attacks is generally understood to be higher than a use of force. For example, it’s not even clear that the 2010 Stuxnet attack, which destroyed thousands of Iranian centrifuges, constituted an armed attack. In the interest of preserving international peace and security, states are expected to suffer relatively minor interferences without being able to take forcible action in response.

The general prohibition on unilateral uses of force does not mean that, when confronted with another state’s annoying or unlawful conduct, a victim state’s hands are tied. States may bring a matter before the Security Council, though that is often in practice a politically inviable option. States may always employ retorsions—politically unfriendly but lawful acts, such as terminating diplomatic relations or cutting aid—in the attempt to alter another state’s behavior. Finally, the law of countermeasures has developed in the shadow of the Charter as a means by which states could help maintain the international order. If one state violates its international obligations in a way that harms another, the victim state may take action short of military force that would usually be unlawful, except for the justification that it is being used to bring the original violator back into compliance. Countermeasures, however, are subject to a number of restrictions: they can only be employed after the victim state has asked the perpetrator to stop its wrongful action and the request is refused; they must be proportional to the harm; and their purpose must be to induce compliance with international law. In keeping with the Charter’s aim of avoiding the escalatory self-help that led to two devastating World Wars, punitive countermeasures are prohibited.

In light of this background, how could the U.S. respond lawfully to the DNC hack under international law? The hack wasn’t an armed attack nor act of war, so the United States couldn’t unilaterally use force in response. Was it an unlawful intervention, justifying the use of countermeasures? Probably not, for reasons Sean Watts has detailed and Ryan Goodman has expanded upon. In brief, states regularly attempt to influence others in myriad ways; the element that distinguishes lawful meddling and interference from unlawful intervention is coercion. While touching on the heart of a democratic process, the DNC hack and subsequent doxing doesn’t constitute intervention. Hacking voting machines and changing votes is coercive; publicly disseminating private information is not. Finally, the Obama Administration has not been willing to publicly characterize the DNC hack as a violation of international law (likely because doing so would raise the question of the lawfulness of similar U.S. operations).

Even if the United States was arguing that the DNC hack was a violation of international law, perhaps because it violated U.S. sovereignty, it is not clear that the United States could use countermeasures now. There are a number of restrictions on the use of countermeasures that make them a less effective deterrent in cyberspace. The speed and secrecy of cyber means that an attack will likely be over before the victim even knows it has occurred, let alone has the opportunity to file a request for cessation and wait for a response. Furthermore, while eventual attribution of cyber activity is becoming more feasible, it is still nearly impossible to identify actual perpetrators immediately, making it difficult to react appropriately in a timely manner. It is also worth noting that states employ countermeasures at their own risk: if they are used inappropriately or against the wrong entity, the original victim state becomes responsible for an internationally wrongful act. As there are myriad opportunities for victim states acting in good faith to misidentify perpetrators and for state and non-state-actors to launch cyberattacks that encourage such misidentifications, states may be hesitant to employ countermeasures too quickly. Given these and other factors, states are likely to have delayed reactions to cyberoperations—and delayed reactions look more like prohibited punishment than permissible countermeasures.

As it could not lawfully use military force nor countermeasures, the United States is legally restricted to responding with relatively unsatisfying retorsions—such as imposing unilateral sanctions and expelling diplomatic personnel. But while these limited options are the intended effect of the U.N. Charter, they are not likely to deter similar future cyberoperations. And, as evidenced by the public reaction to the U.S. response, this is not a satisfying nor stable result.

This situation highlights the increasingly important problems associated with simply transposing international laws developed in the physical world to the cyber realm. As I detail in an upcoming article, many of the traditional obstacles and deterrents to state interference in other states’ affairs—the difficulty of extensive secret penetrations, the physical risks to personnel and equipment, the usefulness of countermeasures—are simply non-existent in cyberspace. Law doesn’t develop in a vacuum; it is in constant conversation with other regulatory forces, including environmental and structural constraints, markets, and social norms. Countermeasures helped fill the gap left by the Charter’s prohibition on unilateral uses of force; now that they and other structural deterrents to interference have been rendered practically ineffective in cyberspace, cyber-specific rules are needed.