Counting the consequences of cyber attacks

Soldiers discuss a cyberattack

When Joe Biden met Vladimir Putin in Geneva in June 2021, he took the opportunity to remind his Russian counterpart that the US has “significant cyber capability”. With a nudge and a wink, he was warning Russia that enough was enough.

It’s not surprising that the US felt the need to make a point. From alleged interference in the 2016 American election to the attack last year on networking firm SolarWinds, which compromised software used by the US and UK governments, the United States has long been a target of Russian’s sophisticated hacking capabilities.

But what can Biden actually do in the event of an online attack?

Pointing fingers

“If Country A flies its aeroplane into the airspace of Country B without permission, it’s violated its sovereignty,” said Michael Schmitt, professor of public international law at the University of Reading and a scholar at the US military college West Point.

“But what if it doesn’t do that? What if it conducts cyber operations? Under what circumstances would we call that a violation of sovereignty? We’re taking rules that were not meant for cyber. And we’re saying, in international law, rules apply to new phenomena and new technologies,” he said.

The first question to ask, he points out, is at what point a systems incursion even becomes an attack. “When does a remotely conducted cyber operation violate sovereignty?” asked Schmitt. “You hurt someone? Sure. You physically damaged cyber infrastructure? Sure. What if you caused the system to work in a manner it wasn’t intended to work? What if you’re simply sitting inside their system with malware that you haven’t activated yet?”

“What if you’re engaging in espionage, and you’re just scooping up mountains of data on people?”

Unfortunately, there’s no clear definition of what constitutes an attack. But even if the lawyers do agree an attack has occurred, and a response is justified, there’s another important step: figuring out who is responsible.

“To factually attribute conduct in [cyberspace] is very tricky because of the use of VPNs and stuff like that,” said Dr Talita Dias, a research fellow at the Oxford Institute for Ethics, Law and Armed Conflict. “It’s difficult forensically to identify the source of an attack.”

Another potential complication is not just the technical attribution, but also the question of whether hackers are working on behalf of a particular country, or just happen to be based there.

“[Imagine] you have an attack coming from Italy,” said Dr Antonio Coco from the University of Essex’s School of Law. “You may have evidence that the attack comes from a hacker group that operates from Italy, but no evidence that Italy has sponsored or directed this attack at all.” That doesn’t necessarily mean Italy is off the hook, however: “If you can demonstrate that Italy has failed to exercise due diligence in preventing that attack, then the responsibility of Italy may be implicated” – meaning it could still be lawful to respond with countermeasures.

A cybersecurity expert examines an attack

Fighting back

“Countermeasures” are presumably what Biden had in mind when he spoke to Putin. “That is clearly what Biden is threatening,” said Schmitt. “I think he’s saying no, no, no, the gloves are off now. If you keep this up, then we’re going to start shooting back.”

That doesn’t mean the US can literally resort to military measures. Legally, any response must be proportionate and targeted. “International law does not recognise tit for tat, ever,” said Schmitt. “International law is designed to return a situation to one of peacefulness. So, the striking back must always be to make the other side stop.”

Even so, retaliatory cyber attacks are tempting, simply because they’re cheaper and subtler than real-world action. “When you have two countries confronting each other in the offline world, usually they do it with their armies. This is costly. It’s resource intensive, and it’s also very difficult to conceal,” said Coco. “In cyber dealings, it’s very cost effective to empower hacker groups.”

Retaliation can also lead to de-escalation, too. “If you can hack back and shut the system down, great, but you may not get into that system,” said Schmitt. “So what you’re trying to do is impose a bit of pain on the other side, so the other side says, ‘I don’t know if this is worth it any more. Let’s knock this off’.”

This is one reason why we might be seeing an increase in states grabbing cryptocurrency caches. “If we can’t [hack back], let’s block the resources that these malicious actors are using,” said Dias. “For example, in the context of ransomware, can we seize crypto assets? We could do that as a proportionate response.”

Sparking real confrontations

That’s not to say countermeasures have to be “cyber” in nature. Under the current legal understanding, other types of responses are legal.

Schmitt gives the example of Estonia. In 2007, the country came under a sustained cyber attack from Russia, which launched DDoS blitzes, ping floods and other attacks on a range of Estonian websites and organisations – including the country’s Parliament. This experience, and the questions over how the Tallin government should respond, inspired the naming of the Tallinn Manual – an influential study edited by Schmitt and originally published in 2013 which aims to figure out the laws of cyber conflict.


The best defence against ransomware

How ransomware is evolving and how to defend against it


The problem is that Estonia is a tiny country of 1.3 million people, with nothing like Russia’s cyber resources. But in Schmitt’s view, under international law it would be legal for the country to respond another way, such as by blocking Russian ships from passing through its territorial waters in the Baltic Sea – a crucial strategic pinch point for Russia.

“Estonia could impose pressure by doing something that would normally be illegal... but now it’s okay to get the other side to knock it off,” said Schmitt.

Schmitt suggests that in extreme circumstances it could even be lawful for a country to respond to a cyber attack using military force, if that is the only countermeasure available. Thus, even online conflicts could eventually have very serious consequences.

Military personnel examine a server

(Image credit: Shutterstock)

Do we need a digital Geneva Convention?

To help prevent major escalations, some have suggested that major states should agree a “digital Geneva Convention”, which sets out the rules of cyber conflict. One of them is Microsoft’s chief legal officer, Brad Smith.

The experts we spoke to are sceptical that such a treaty will ever happen, however. “Strictly speaking, we don’t need a treaty,” said Dias. “We already have rules that apply by default to cyber. It’s a matter of fleshing them out and understanding how they apply.”

Dias argues that the cyber rules of the road could be more clearly established by patching together existing law, as it has evolved over time. And this is a process that is already ongoing: in recent years, governments around the world have released position statements, essentially outlining their view of the “rules” of cyber-conflict. While no one is forging formal agreements, these statements help other governments understand each other, and how hostile cyber actions may be received.

At the same time, the United Nations has convened a group of governmental experts to consult on the legal issues around cyber conflict, while legal academics are hard at work on a new edition of the Tallinn Manual, which will go further in defining how existing international law works in the cyber arena. “If you start with a treaty, you may be forgetting the fact that there already is law,” said Schmitt. “It may actually be a step backwards.”