Note: This article is based on a presentation at the Informal Meeting of EU Foreign Ministers in Vienna on August 31, 2018.
The strength of our society rests on the strength of our IT. In a world where everything is connected—phones, cars, houses, electric grids, supermarkets, hospitals, financial systems and satellites—everything can be disrupted, if not destroyed. For several years, cyber threats have featured at the top of the risk assessments of government ministers, diplomats, intelligence officials and military leaders. What is missing in these debates is a grand strategic vision. Cyber diplomacy and cyber defense should become the bread and butter of our foreign and security policy debates.
Cyber Norms and International Law
International law is often misleadingly dismissed as window dressing on realpolitik. But that approach understates the importance of international agreements in maintaining peace and security. For liberal democracies that respect the rule of law, international law shapes governments’ activities. At difficult and unstable times, it is even more important that our like-minded countries demonstrate commitments to international law and the values that it represents.
Cyberspace is an integral part of the rules-based international order. The best guarantee for a future with an open, free and stable internet is a common understanding among nations that the current rulebook for state behaviour on the international stage also applies in cyberspace. The digital age does not require a new international legal framework; the existing international law norms and principles apply.
The question before us is, of course, how do they apply? This was the point of departure for the Tallinn Manual—a survival guide for cybersecurity lawyers and policy advisers published under the guidance of NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia (which I directed in 2017 and 2018). It is a study examining how international law governs the use of cyber force by states during an armed conflict, as well as in peacetime. The Tallinn Manual is the first document to address these questions in a comprehensive manner.
As Dutch Foreign Minister Stef Blok recently described the Tallinn Manual as providing a framework for how international law can guide state behaviour in cyber conflicts. It offers a roadmap for holding states accountable. It clearly describes the conditions and limitations for countermeasures that can be undertaken to respond to cyber attacks.
Of course, the Tallinn Manual does not provide all the answers. First and foremost, it is a tool for states in their own interpretations of customary and statutory international law. It is also part of an important battle because, indeed, there is a battlespace between the liberal and authoritarian states in their views of how to settle cyber conflicts. We have also seen activity by nonstate actors such as the Islamic State or the Internet Research Agency, who are ready and willing to move in to fill a void ignored by states.
International law adapts to changing times and remains relevant to the challenges of modern conflicts through treaties and through customary international law formed from the general and consistent practice of states acting out a sense of obligation.
As suggested by Professor Michael N. Schmitt,
The greatest prospect for progress in the near term lies in states making clear their positions with respect to when and how specific international law principles and norms apply in cyberspace. It remains the case that states, and only states, have the authority to craft new international legal regimes. Only states have the authority to establish state practice in interpreting international law’s existing principles and rules. They do so through the adoption of treaties or by engaging in practices that, when combined with expressions of opinio juris (expressions by states that the practice in which they are engaged), results in the crystallization of customary international law.
What like-minded states actually say on their understanding of international law matters a great deal. Over time, a critical mass of complementary state views on a particular cyber legal issue will accumulate—and that interpretation becomes a binding customary law, cementing the norms in place. Statements that are clearly expressing countries’ interpretation on how the law is applying, help to clarify the legal framework where all of our nations operate.
There are certain areas of international cyber law in which states articulating their legal position helps to hold the line against a potentially destabilizing activity. For example, it would be useful if states developed clear positions about when they are ready to cross over the “use of force” or “armed attack” thresholds. There appears to be a broad consensus that when the destruction or injuries are significant, the victim state enjoys the right of self-defense by both cyber and kinetic means against the state that launched the cyber “armed attack.”
Some nations are travelling that road already. The 2011 Dutch “Cyber Warfare Report,” as explained by the Dutch Defence Minister Ank Bijleveld, implied that “a cyber-attack can be considered an “armed attack,” if it leads to a serious disruption with longlasting consequences. For instance, if a cyberattack targets the entire financial system or if it prevents the government from carrying out essential tasks such as policing or taxation, it would qualify as an armed attack. And it would thus trigger a state’s right to defend itself.”
In similar terms, the French Strategic Review of Cyber Defense was presented in February 2018. The review is a landmark document outlining the French approach to international law and providing insight into France’s approach to responding to cyberattacks. This white paper recommends France to adopt a classification mechanism for cyberattacks. That will allow policymakers to assess the effect and impact of an operation directed at France, including an incident that could trigger the threshold of an armed attack.In April, 2018, the U.K. government has launched a new cyberattack categorization that is designed to improve response to incidents. A good example of demonstrating state practice is the U.K. attorney general’s statement at the Chatham House, where he extensively explained the U.K. positions on issues like sovereignty and warned that intervention in the domestic affairs of other states by cyber means deserves a robust and legitimate response. As states begin to refine the thresholds of response against cyberattacks, any assertion that no such lines exist would soon be wrong.
But having a clear legal framework will be of limited use if states are not able to attribute digital attacks. Without clear attribution, there can be no legal retribution, no countermeasures and no self-defense.
Throughout this year, we have witnessed states increasingly practicing public attribution. In May 2017, WannaCry ransomware impacted 150 countries and hundreds of thousands of systems, paralyzing healthcare, production facilities and telecoms. In December 2017, WannaCry was attributed to North Korea by U.S., U.K., Australia, Canada, New Zealand, Denmark and Japan. Similarly, earlier in 2018, a number of Western countries—starting with the U.K. and the U.S., soon joined by Australia, New Zealand, Canada, Denmark, Estonia, Japan, Lithuania and others—attributed another malware attack called NotPetya, to Russia.
It seems that we have overcome the paralyzing idea that attribution is an impossible technical issue. We have proven with like-minded countries that attribution is not only possible, but also necessary. State-backed cyber attackers no longer operate in strategic ambiguity.
This means that throughout 2018 attribution has moved from being a largely technical discipline to something much larger. It balances technical, intelligence, legal and political elements; this balance is something that states and governments have to consider carefully.
The first step is technical attribution. As outlined by the Dutch Defense Minister,
In this phase, the attack is linked to a digital source, which can be an email account, a piece of malware or an Internet Protocol (IP) address. Technical information acquired from digital forensics analysis is only one of the relevant sources. Equally important information is intelligence, strategic context, patterns of behaviour and motivation.
Once the technical author of the attack is known, it will be the task of lawyers to advise the government on legal responsibility of a state behind the attack—if there is one. After the legal responsibility has been established, it is up to the government members to decide whether or not to publicly attribute a particular attack to a particular actor.
A recent report of the European Commission encouraged EU countries to name and shame foreign states that sponsor cybersecurity attacks, explaining that attribution of blame will deter potential aggressors and increase the chances that those responsible will be made properly accountable. That report describes the European Commission’s strategy for coordinating EU-wide responses to “hybrid threats”, such as the poison attack on former Russian spy Sergei Skripal and his daughter earlier this year in the U.K. “Member States are invited to continue their work on attribution of cyber-attacks,” according to the document.
The next step after the public attribution would be to come up with a response. The EU Diplomatic Toolbox adopted in 2017 is an example of collectively pre-agreed possible response measures. It offers a framework for joint EU diplomatic responses to malicious cyber activities, including common diplomatic steps such as adopting condemning statements, summoning ambassadors, or declaring diplomats persona non grata. The Diplomatic Toolbox also opens the possibility that the European Union might impose sanctions on an adversary attacking its member states in cyberspace. Ultimately, what matters, is that states engaging in unlawful actions, using cyber means, will not get away without consequences.
NATO-EU cooperation in times of crisis is increasingly vital. As there are no national borders in cyberspace, there are also no organisational boundaries, or the clear boundaries between military and civilian cyberspace. Deeper NATO-EU cyber security cooperation could focus on practical complementary work, such as more active exchange of cyber threat information, a common playbook for crisis management and joint exercises.
As the Estonian Minister of Defence Jüri Luik suggested at the 2018 Munich Security Conference, it would be useful for EU to consider possibilities of cooperating with the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCDCOE), that aims to increase cyber defence training capabilities. This could include a dialogue with NATO on the possibility of the EU closely collaborating with the Center of Excellence with a view to increasing complementarity and collaboration.
Cyber Security Exercises
Cyber security exercises are an important part of NATO-EU joint efforts. Exercising response to cyber attacks is one of the best ways to raise awareness at the political level on the effects that cyber means can cause. EU cyber-defense staff took part, for the first time, as full participant in NATO’s Cyber Coalition exercise held at the end of 2017. In April 2018, EU staff participated in the NATO Cooperative Cyber Defense Centre of Excellence Locked Shields exercise.
Effective crisis response depends on how prepared we are. If, in real crisis scenarios, the situations escalate quickly to political level, we should also engage ministers and cabinet members in cyber defence exercises. This is why last autumn during the EU Presidency Estonia organised the first ever strategic table-top cyber exercise EU CYBRID 2017 at the defense ministers level, with the NATO secretary-general also attending. The focus of the exercise was on situational awareness, crisis-response options and strategic communications.
What is important here is that cyber exercises should not be the playground of only the ministers of defence. Cyber security and cyber defence go beyond the military community boundaries. Thus, cyber security should also be exercised by other ministers, including the ministers of foreign affairs, as most real world crisis in the future will have cyber components, to which political and diplomatic response will be required in addition to technical response.
As digital is the new normal, there are boundaries of acceptable state behaviour in cyberspace, just as there are everywhere else. States have to be clear about how international law obligations bind us. Each of our like-minded nations individually should be open and clear in setting out the rules it feels bound by. Staying silent means accepting that cyberspace is a grey area and a dangerous place. We must not allow that to happen – we should work together and take united steps to ensure that future generations do not question why nothing was done when so much was at stake.