In February 2018, the German government’s network was attacked. Germany did not specify what kind of information was accessed by the foreign hackers, but it is publicly known that the hackers successfully attacked the IT system of the Ministry of Foreign Affairs. On March 18, 2018, the Head of the Federal Chancellery and Federal Minister for Special Tasks, Helge Braun, issued a public statement about this attack and explained that the government would examine the possibilities of cyber counterattacks. His statement heated the political debate about cybersecurity and parliamentary opposition groups raised concerns and questions in official inquiries to the federal government on March 23, May 4 and May 7. The questions covered many topics ranging from Russia’s potential influence on the domestic political debate to facts about specific cyber attacks to the domestic institutional framework for cyber defense to attribution and the international legal framework.
Germany has seen a number of cyber attacks since 2015, including the cyber attack on the German parliament in 2015, the spear-phishing attacks on political parties and foundations in 2016 and the worldwide “NotPetya” virus in 2017. Germany has attributed all these incidents and the recent attack in February to Russian networks. Public attributions have been done more frequently in recent years, particularly in the U.S. and by some of its allies attributing the NotPetya attack. Public statements from governments regarding how they will apply international law to cyber activities, however, are still rare, even though they are important for the development of international law. The U.K. and U.S. governments have made the most detailed statements on the legal framework of cyber operations so far. British Attorney General Jeremy Wright recently expressed the position of the U.K. government and the U.S. government’s position was outlined in two speeches by State Department Legal Adviser Harold Koh in 2012 and Brian Egan in 2016.
The German government’s recent responses to inquiries from the political opposition can be added to this list of public statements. This statement will contribute to the aim of avoiding “unnecessary escalation” because—as Egan expressed in his 2016 speech—the relative silence of states “could rise to misperceptions and miscalculation by States, potentially leading to escalation and, in the worst case, conflict.” The following paragraphs will describe topics of international law that were or were not addressed in the responses of the German government.
How to respond to cyber attacks
Mirroring the views of the U.S. and U.K., the German government asserts that cyber operations can constitute an “armed attack,” and therefore trigger the right of self-defense under Article 51 UN Charter. While the German government clarifies that cyber operations constitute an armed attack only under certain circumstances, the statement does not specify or enumerate those circumstances. However, it claims that Germany could “react with all legal military means”if a cyber operation is equivalent to an armed attack.
In regard to cyber operations under this threshold, the government outlines that countermeasures to cyber attacks must be in accordance with international and domestic law. It defines cyber counterattacks as “active measures with the aim to manipulate or disturb the information technology systems used for the original attack.” However, the statement leaves the following operational questions unanswered, which I will address in more detail below: Who should be responsible for defending against cyber operations under the threshold of an armed attack? Under what circumstances should a state agency be authorized to conduct cyber operations? Is the state allowed to carry out a preemptive cyber attack?
Who should defend against cyber operations under the threshold of an armed attack?
The German government tries to distinguish between powers of the military and civil agencies to defend against cyber operations. It even uses different words for cyber defense: “Cyber-Verteidigung” for military operations and “Cyber-Abwehr” for cyber operations of civil agencies. The difference between these two terms is unclear, and it does not contribute to a clarification of responsibilities between the the two. The government is remarkably vague in this regard, stating only that “one option is a military mission as long as it is within the framework of its constitutional mandate.”
The German military is only authorized to act after a parliamentary approval, abroad and in self-defense. Many unanswered questions arise with regard to this mandate: When does a cyber operation conducted by the German military have to be considered as a military operation abroad? Is it relevant where the military officer conducts the operation or where the operation causes results? What kind of cyber operations are actions of defense? The only clarification that the government makes is that “the potential to deter is part of the constitutional mandate of the German military.”
Under what circumstances should state agencies be authorized to conduct cyber operations?
Of course, the appropriate means of response depend, as the government correctly states, “on the individual case.” But should state agencies be permitted to conduct a cyber counter-attack before an incident takes place? Or do they have to wait until an attack occurs or at least until there is sufficient evidence of an imminent cyber threat?
The German government’s statement declares that the government is examining the technical and legal framework of active cyber defense measures. It defines these measures as civil cyber defense against all intentional activities that have the purpose to manipulate, influence or disturb the availability, integrity and confidentiality of information technology systems with information technology resources and that do not rise to an “armed attack” within the meaning of Article 51 of the UN Charter. This broad definition also includes measures before a cyber incident takes place, and it will be interesting to see draft legislation dealing with this topic.
Attribution and the principle of proportionality
Finally, the government makes some statements about attribution of cyber operations and the principle of proportionality. It acknowledges that attribution is “always connected with a degree of haziness” and depends on the cyber capabilities of the adversary. A “doubtless attribution” about the country of origin of the actor can regularly not be done. It thus becomes a question of policy: how to communicate this finding to the allegedly responsible state. In the case of the cyber attack on the German Government’s IT network in 2018, the German government claimed publicly that it “most likely” stemmed from within Russia. The cautious formulation was immediately followed by the statement that Germany remains open to a constructive dialogue with Russia.
With regard to the principle of proportionality, the government outlines that state agents always have to consider the “least intrusive technical means” necessary to achieve their goal. In the context of cyber operations this means, in particular, to take precautions that “do not put uninvolved stakeholders at a disproportionate threat.” While this point highlights the importance of proportionality, it does not refer explicitly to this principle as a rule of international humanitarian law. The German government's statement on proportionality thereby reflects the practice of states conducting the majority of cyber operations during peacetime, in which they are only bound to the principle of proportionality as it exists under human rights law, as opposed to under the law of armed conflict.
The German government’s responses to the inquiries of the political opposition are notable for two reasons. First, as mentioned at the beginning of this article, public statements of states are rare and important for the formation of international law. Second, the government’s response confirms the application of principles of international law to cyber operations—in particular the right of self-defense under Article 51 of the UN Charter, the law of countermeasures and the principle of proportionality.
The response does not, however, help to clarify concepts that are highly debated among legal scholars. It does not, for example, specify the “certain circumstances” under which a cyber attack would amount to an armed attack— one can wonder if this decision is intentional. Strategic ambiguity may have served during the Cold War nuclear confrontation, but it may be less appropriate in cyberspace. As Steward M. Patrick correctly states, ambiguity leaves open the potential for chaos in determining adequate responses.
Governments around the globe are struggling with and will have to address the same questions of adequate behavior in cyberspace. They should exchange their views on how to appropriately respond to harmful cyber operations ordered or sponsored by foreign states and what kind of preventive regulations could lead to better protection.