A weekend New York Times story by David Sanger and William Broad disclosed U.S. cyber-operations against the North Korean ballistic missile program. They report that three years ago, “President Barack Obama ordered Pentagon officials to step up their cyber and electronic strikes against North Korea’s missile program in hopes of sabotaging test launches in their opening seconds.” This story came right on the heels of a Senate Armed Services Committee hearing on cyber strategy and deterrence, during which I was asked to testify about what constitutes an “act of war” in cyberspace (my testimony is available here).
As I explained there, the legally precise reformulation of that question is whether a cyber-attack amounts to prohibited “force” or an “armed attack” triggering a right of self-defense under the U.N. Charter system. Factual details about the North Korea operation are lacking, but the Times story prompts questions whether it crosses these thresholds.
According to the recently published DoD Law of War Manual, “if cyber operations cause effects that, if caused by traditional physical means, would be regarded as a use of force under jus ad bellum, then such cyber operations would likely also be regarded as a use of force.” Like other recent U.S. government statements on this issue, it says that many factors are relevant to this assessment (e.g. context, target, location, intent), and it specifically states that cyber-attacks “that cripple a military’s logistics systems, and thus its ability to conduct and sustain military operations, might also be considered a use of force under jus ad bellum.” In my testimony I noted that this interpretive approach leaves open the possibility of treating as “force” or “armed attacks” cyber-operations “that weaken our defense capability—such as disrupting the functionality of military early warning systems.”
There are many legal questions raised by the Times story, and assuming the reported description of events is correct, here are just three:
First, did the U.S. government regard electronic sabotage of ballistic missile tests as an act of “force” or an “armed attack”? The multi-factor approach to cyber-attacks as “force”/“armed attack” leaves a lot of room to argue this either way. I assume that the U.S. government wants to keep open some legal flexibility to conduct this type of cyber-operation, but I also suspect that it would it would regard as quite reasonable a determination that a disabling cyber-attack against U.S. missile systems constituted an armed attack—and therefore justified self-defensive force. The Times story notes that this cyber-operation has echoes of Stuxnet attacks that, as has been widely reported, physically wrecked Iranian nuclear centrifuges, and any internal legal analysis may be similar, though it is unclear exactly what effects the North Korea attacks had on missile systems that may ultimately have contributed to test failures.
Second, did the U.S. government regard its cyber-operations as themselves an act of self-defense? Sanger and Broad report that “[a]t one meeting, [President Obama] declared that he would have targeted the North Korean leadership and weapons sites if he thought it would work.” And former Obama Secretary of Defense Ash Carter has long advocated preemptive strikes against North Korean missiles, dating back to his service in the Clinton Administration. One wonders whether any reported U.S. cyber-attacks on those North Korean systems were or could have been justified internally under an expansive preemptive self-defense doctrine.
Third, beyond existing law, how do these reported cyber-attacks against North Korean missile systems fit within U.S. government discussions with China or other players regarding special norms for cyber-attacks? On this issue, Sanger and Broad note:
Once the United States uses cyberweapons against nuclear launch systems—even in a threatening state like North Korea—Russia and China may feel free to do the same, targeting fields of American missiles. Some strategists argue that all nuclear systems should be off limits for cyberattack. Otherwise, if a nuclear power thought it could secretly disable an adversary’s atomic controls, it might be more tempted to take the risk of launching a pre-emptive attack.
If the United States is in discussion with other cyber-powers about mutual restraints to make certain critical systems off-limits to attack, I wonder how the reported North Korea operations fit within that strategy.
I’ll conclude by noting that this story also illustrates that answers to the international law questions will be slow to develop. The U.S. government is not acknowledging the reported North Korea operations. And like Iran and Stuxnet, I don’t expect North Korea to speak to them. As I wrote a few years ago:
[I]ncremental legal development through State practice will be especially difficult to assess because of several features of cyber attacks. Actions and counteractions with respect to cyber attacks will lack the transparency of most other forms of conflict, sometimes for technical reasons but sometimes for political and strategic reasons. It will be difficult to develop consensus understandings even of the fact patterns on which States’ legal claims and counterclaims are based, assuming those claims are leveled publicly at all, when so many of the key facts will be contested, secret, or difficult to observe or measure. Furthermore, the likely infrequency of “naked” cases of cyber attacks—outside the context of other threats or ongoing hostilities—means that there will be few opportunities to develop and assess State practice and reactions to them in ways that establish widely applicable precedent.