Cybersecurity and Deterrence

Is the SolarWinds Cyberattack an Act of War? It Is, If the United States Says It Is.

By Yevgeny Vindman
Tuesday, January 26, 2021, 1:24 PM

Members of Congress on both sides of the aisle have posed the question of whether the recent SolarWinds cyberattack was an act of war. Democratic Sen. Dick Durbin and Republican Sen. Mitt Romney shared these concerns.

An act of war—in Latin, casus belli—has historically been unsubtle; therefore, it’s traditionally been pretty obvious when one has occurred. Not so in the digital age, in which a surreptitious cyberattack delivers latent but potentially catastrophic effects on the target, without clear attribution to the actor. States must recognize such an aggressive act for what it is and be prepared to respond to such threats in accordance with international law.

While there are numerous definitions of “cyberattack,” generally a cyberattack includes efforts to alter, disrupt, or destroy data or computer systems or networks, and efforts to disrupt or destroy physical infrastructure controlled by such systems. As a matter of law, the U.S. government looks to two sources of law to determine whether a cyberattack exceeds the threshold for casus belli

As a matter of domestic law, under Article II of the Constitution, the president of the United States has the power to act in matters of foreign relations, direct the military in national defense and, consistent with established war powers, initiate hostilities. Further, Article I of the Constitution vests in Congress the power to declare war. This domestic authority is not subject to any limitations, including precepts of international law. In my experience on the White House National Security Council (NSC), domestic law was the preeminent concern during the Trump administration. International law and norms generally seemed to receive short shrift. 

This lack of emphasis resulted at least in part from a failure to execute formal interagency coordination through the established NSC policymaking process. I observed policy directives dictated from the Oval Office before any analysis, justification or due consideration for international law had even taken place. While obviously it is appropriate that policy should emanate from the Oval Office, due diligence and consideration of second- and third-order effects typically inform such decisions. 

The Trump administration’s backward approach was unfortunate. The United States has always been a nation that abides by and respects the rule of law; this country helped establish the current rules-based international order, including the postwar international legal regime. The shift away from consideration of international law and norms could not have come at a worse time. The United States currently faces a pivotal moment in the establishment of international law and norms in the face of the maturation of cyber capabilities. Cyber law is an area of law that is not well developed or delineated. If the United States does not participate or does not take a position on cyber-law matters, it will lose the ability to shape the law and norms. This milieu provides the second regime, international law, that informs the U.S. government’s response to the SolarWinds attack.

International law and norms are drawn from two existing sources, treaty law and customary international law, which in turn is composed of state practice and opinio juris (a sense of legal obligation). For either treaty law or customary law, a state’s interpretation of law orders that state’s actions. Interpretation (or reinterpretation) of these existing bodies of law, applied to extant facts, is a completely appropriate mechanism for the evolution of international law as it relates to cyberattack. 

It is precisely because of that syllogism that, in essence, the SolarWinds attack is casus belli if the U.S. government says it is. 

International law limits the basis for resort to war, jus ad bellum in Article 2(4) of the U.N. Charter, to an illegal “use of force” or armed attack. Michael Schmitt noted recently that “the threshold at which a cyber-operation amounts to a use of force remains unsettled.” This ambiguity in and of itself is dangerous because neither aggressor nor victim knows where the red line is. However, some states have recently taken a public position on cyberattack as casus belli.

France, a major European and nuclear power, has declared that a cyberattack or operation need not be destructive or physically damaging to be casus belli. Following the French model, despite the current lack of physical damage resulting from the SolarWinds attack, the United States should consider whether critical systems were sufficiently compromised to exceed the threshold for casus belli. Doing so inherently looks to the right to self-defense under international law.

Chapter 51 of the U.N. Charter recognizes the inherent right to self-defense in response to casus belli. In exercising self-defense, states must consider the nature of the attack or the imminent attack if the attack itself is nascent. If responding to an attack after suffering injury, a state exercises self-defense in its purest form. A state may certainly exercise self-defense to prevent further injury or to reverse the progress of the attacker. International law precepts on nonintervention and notions of sovereignty, while normally worth considering, need not be scrutinized if the SolarWinds cyberattack meets the threshold for casus belli as an illegal use of force or armed attack.

Historically speaking, at least, a massive conventional surprise attack—like Pearl Harbor, for example—that caused unprecedented death, damage and destruction was almost the definition of a casus belli. Given contemporary surveillance capabilities, including satellite capabilities, and other intelligence platforms, such a conventional attack against an advanced state is unlikely to achieve surprise and therefore reduces the possibility of a Pearl Harbor actually happening. Pearl Harbor, an attack in the analog age of war, occurred when the pace of war allowed for time to build and rebuild forces, to generate capabilities, mobilize, deploy, mass, and attack. The pace of modern warfare, however, is faster, with massive death and destruction delivered in short time frames from distant precision weapons. Concurrently, the mature ability to sense and respond to threats by modern advanced states has deterred them from engaging in the obvious casus belli of a bygone age.

Operations Desert Storm, Iraqi Freedom, and Enduring Freedom, and, to a degree, the Nagorno-Karabakh conflict—all of which involved highly targeted strikes with “smart” weapons—represent the age of precision war. Precision warfare, fought with smart bombs, guided missiles and unmanned aerial vehicles is a quantum leap in warfare. However, the effects of precision warfare are still recognizable as refinements of analog warfare, with consequences in the physical world. Precision war is fought at rocket speed, inflicting precise physical devastation on an adversary’s capabilities and consequently debilitating the ability to wage war in weeks and months, rather than years. The precision war is only decades old but is soon likely to be supplanted as battlefield technologies keep pace with the advent of ever-newer, more aggressive artificial intelligence; sophisticated remotely deployable hardware; and cyberattack capabilities. 

Digital war will embrace the means of precision war, ushering in an era of conflicts that will deal devastating and perhaps decisive damage and destruction. The opening engagements in digital war will almost certainly include cyberattacks, executed at the speed of light via fiber-optic cables, the use of revolutionary artificial intelligence and advanced unmanned aerial vehicles. 

Unlike analog and precision means of war, a cyberattack occurs not in the physical realm but in the virtual realm. Attack in the virtual realm can have devastating consequences in the physical world. Additionally, cyberattack, as has been demonstrated repeatedly in recent years, retains perhaps the biggest and most decisive element of war: surprise. Thousands of years ago, Sun Tzu noted that “[t]o mystify, mislead, and surprise the enemy, is one of the first principles in war.” Ever since, and probably even before, military strategists have recognized the value of surprise. 

A cyberattack of sufficient magnitude may surprise and cripple an opponent’s ability to wage war effectively in the way kinetic attacks no longer can hope to achieve. This may include destroying and limiting the ability to command, control, communicate, observe and discern an opponent’s actions. If such a devastating attack is coupled with the means of precision warfare, the initial attack may, short of resorting to weapons of mass destruction, result in a fait accompli. Therefore, serious cyberattacks or cyber operations on critical systems should be considered casus belli.

This brings us to SolarWinds, whose products are used by approximately 300,000 customers, including most Fortune 500 companies and many U.S. government agencies. These agencies include the Treasury Department, Department of Homeland Security, Department of Commerce, Department of Defense, and Department of Energy, including the National Nuclear Security Administration. Through a clever infiltration into the widely distributed SolarWinds’s Orion software, in the information technology supply chain, attackers gained access, which allowed them to plant “backdoors” into the networks of scores of companies, government agencies and think tanks. The attackers’ access allowed them free and persistent entry into systems, to steal data and deliver a latent but as yet unutilized ability to alter data or execute destructive attacks. Through malicious code planted on infected systems, attackers achieved “hands on keyboard” backdoor access to run commands received from the threat actors’ C2 server. In such an attack, there is a human adversary engaged in the intrusion who is actively working toward an objective. The full scope of the attack is not clear, but it is unambiguous that the attack is one of unprecedented magnitude.

While access is not in and of itself a casus belli, such access into critical systems with the ability to operationalize harm, in my opinion, would be casus belli. In SolarWinds, the espionage and operational access of the “hands on keyboard” cyberattack are intertwined. The vulnerabilities are present and continuing on an unprecedented scale, even if currently latent. Consequently, a U.S. response to this attack should be understood as self-defense to an attack in progress. Although the effects of a cyberattack may not be as clear as the bombs dropped on Pearl Harbor or a ballistic missile launch, they should nevertheless elicit a similar level of concern. The U.S. need not wait for the effects of the SolarWinds attack to be operationalized, just as it wouldn’t wait for ballistic missile impact, before responding.

In the digital war, when an opening attack by advanced adversaries can be decisive, including by eliminating our situational awareness and increasing our vulnerability to analog or precision warfare, cyberattacks meeting certain criteria may constitute casus belli. Digital war is an inflection point requiring a paradigm shift on perceptions of the nature of attack. International law experts generally agree that to constitute casus belli, the single-attack cyberattack or extended operation must be against systems of such critical importance as to exceed the threshold of a use of force. This assessment is not dependent on the presence of physical damage and can occur as a single act, such as an attack on a nuclear reactor control system, or through a persistent program of attacks on critical systems. These factors are akin to what the Netherlands would describe as “qualitative and quantitative factors” in its own assessment of casus belli for a cyberattack. For example, whether it is a physical bomb or malicious code sent by means of fiber-optic cable at the speed of light that causes a nuclear power plant to go into meltdown, the effect is the same. In either case, the victim state has a casus belli. What is less clear is which facets of a cyberattack might yield that level of eventual devastation. 

But a country need not be subjected to a cyberattack tantamount to physical attack to suffer casus belli. Such an understanding of international law would be illogical and unsupportable in the digital age of warfare. This is particularly true if critical systems are sufficiently compromised in the initial breach to grant the attacker the ability to imminently execute death, destruction and damage. The act of espionage is intertwined, in this case, with ensuring access for an offensive act. The SolarWinds cyberattack, by public accounts, appears to be the most significant such attack the U.S. has ever faced and has by some accounts affected critical systems of government agencies and private entities. While the full extent of the breach is not clear, such critical systems may include nuclear power plants, hydroelectric facilities, traffic control systems or any target containing industrial control systems. Compromised industrial control systems can be directed to stop a reactor from cooling, a hydroelectric dam to flood downstream, or traffic signals to cease working. The ability to control these systems is thus the ability to cause mayhem at any time of the attacker’s choosing. Moreover, such cyberattacks on government systems may eliminate the ability to command, control, communicate and accurately perceive the adversary’s intent. This lack of situational awareness can lead to dangerous misjudgments, and it increases susceptibility to attacks resulting in major damage or death. Consequently, the U.S. has to regard itself as remaining under attack until whatever malicious code has been delivered is eliminated root and branch. 

Further complicating a state’s response to cyberattack is the issue of attribution. Unlike analog or precision warfare, cyberattack attribution is not always clear. Attribution is an important but discrete topic from whether the attack justifies war in response. In any event, attribution of the SolarWinds cyberattack to the Russian foreign intelligence service, or SVR, does not appear to be seriously in doubt. 

While Pearl Harbor resulted in physical destruction and death, the SolarWinds cyberattack has not caused any physical destruction or death—at least not to date. Obviously, this difference is an important one, but the nature of such an attack and the imminent threat in the digital age of war must also be considered.

Even if the criteria for casus belli are met, the U.S. still may not want to declare it as such. If the country cries “war,” it must be prepared to lay out why it considers this cyberattack to exceed the threshold for use of force in order to ensure that the threshold for war remains high. This serves as a matter of self-interested self-restraint and establishes the appropriate threshold for customary international law and international norms. Further, exercising self-restraint on this attack does not hamper the United States’s own cyber snooping, data theft or traditional espionage. As a nation that respects international law, the United States must be consistent in the application of law and policy, unlike some of its near-peer adversaries that subscribe to international agreements without any intention of abiding by such proscriptions. The U.S. acts in accordance with its legal obligations.

The Biden administration will need to determine how to respond to the SolarWinds cyberattack to establish deterrence and impose costs given the magnitude of the attack. These are policy issues, but they should be informed by the legal determination that the SolarWinds cyberattack may well constitute a casus belli under international law.