Now that the United States has concluded that North Korea was responsible for the hack into Sony’s computers, it has begun to make noises about responding to that hack in some way. If the United States wants to make its response consistent with international law, how should it think about how to proceed?
Mike Schmitt posted an excellent analysis at Just Security that walks through how to characterize the Sony hack under international law. He argues persuasively that the hack would not rise to the level of an armed attack (which would trigger a U.S. right of self-defense) or even a use of force (though the FBI is now talking about “destructive cyber attacks,” and if the attack actually destroyed physical systems rather than just data I imagine the analysis might change). But he also illustrates how, even if the cyber action did not produce physical harm, the hack nevertheless violated the customary international norm of sovereignty. Mike details many of the options the United States has to respond to this violation, including the use of “countermeasures.”
Under the law of countermeasures, when State X violates its international legal obligations to State Y, State Y may take actions to persuade State X to cease its violations. Those actions – that is, the countermeasures – may include the non-performance by State Y of certain of its international law obligations to State X. The violations need not be symmetrical to each other, but State Y’s countermeasures must be proportional to the original violation. Some believe that the injured state must notify the violating state before undertaking countermeasures, though it is not clear whether the United States accepts this as a binding rule.
There is reason to believe that the U.S. government may be thinking about a response to North Korea within the countermeasures framework. The White House stated yesterday that it was contemplating a “proportional response.” The response could (and in fact seems likely to) occur in cyberspace, but international law doesn’t require that it do so. Regardless of the form a U.S. response might take, the important point is that international law provides a relatively flexible framework in which states may respond to different types of breaches of international law against them. A cyber event that violates international law need not rise to the level of an armed attack in order for a state to respond. The choices here are not zero or sixty. The possibility of a more nuanced response is a good thing – though of course the chances of escalation by the North Koreans in response to a lawful countermeasure cannot and should not be discounted.