Cybersecurity and Deterrence

What Would Happen If States Started Looking at Cyber Operations as a “Threat” to Use Force?

By Duncan B. Hollis, Tsvetelina van Benthem
Tuesday, March 30, 2021, 2:44 PM

How are threats of force conveyed in cyberspace? When hackers compromised the SolarWinds Orion software in the spring of 2020, they trojanized the so-called Sunburst backdoor, a system designed to communicate with third-party providers. Through that backdoor, the hackers could execute commands, including disabling services and rebooting machines. This operation was effectively a power transfer and a significant one, at once giving those actors an “eye” into all of the victim’s data and a finger on the trigger. Regardless of how one qualifies the operation against SolarWinds, how the features of such operations interact with the rules of international law requires attention. Public reporting about SolarWinds suggests the operation was limited to data exfiltration from a circumscribed group of victims that did not suggest any future use of force. Nonetheless, the case raises a question: If the presence of backdoors in a victim’s network allows for future exploits capable of causing functionality losses generating destruction (or even deaths), could their presence be seen as threatening such results? More broadly, when does a cyber operation that does not itself constitute a use of force threaten force? 

Article 2(4) of the U.N. Charter requires member states to refrain from both the “threat” and the “use” of force. When it comes to cyberspace, the latter prohibition has spawned seemingly endless discussions among states (for recent roundups, see, for example, here and here) and scholars alike (see here, here, here, here, and, of course, here). International legal discourse is entering its third decade of debates on what constitutes a use of force in cyberspace, how to assess scale and effects in this new environment, and whether cyber operations that the international community has already observed, such as Stuxnet or NotPetya, qualify as a use of force or even rise to the level of an armed attack to which states can respond in self-defense. In contrast, the prohibition on the threat to use force has received almost no attention. Considering the recent drastic upsurge in cyber operations, and their diverse means, methods, and effects that individually (or collectively) imply a risk of further operations, there is a need for more dialogue about the obligation to refrain from the threat of force in cyberspace. Here, we hope to launch that conversation, exploring an otherwise underutilized obligation in the international legal arsenal that may yet have an important role to play in regulating state and state-sponsored cyber operations.

The contours of the prohibition on threats to use force are clear in its key respects. First, the state’s threatened action must qualify as a use of force—threats to intervene economically or politically in another state fall outside the prohibition. Second, the threat must be to use force unlawfully. As the International Court of Justice explained in its landmark Nuclear Weapons Advisory Opinion, “The notions of ‘threat’ and ‘use’ of force under Article 2(4) of the Charter stand together in the sense that if the use of force itself in a given case is illegal—for whatever reason—the threat to use such force will likewise be illegal.” Conversely, if a use of force is permissible (for example, as an exercise of self-defense), so too are threats to pursue it. Third, a threat need not be explicit (like an ultimatum)—it can also be conveyed implicitly. As noted in the Commentary to Rule 70 of the Tallinn Manual 2.0, the second edition of the most comprehensive guide on the applicability of existing international law to cyber operations, a threat can be conveyed by any means (for instance, through public pronouncements), and the substance of such threat is “to carry out cyber operations qualifying as a use of force.” Explicit threats are not only the “easy” case but also the rare one. In cyberspace, the prohibition may have much more utility for implicit cyber threats—what the Commentary to Rule 70 describes as “a cyberoperation that is used to communicate a threat to use force.” 

In assessing the existence of an implicit threat of force, context has a major role to play. Not all manifestations of force will qualify as a threat under Article 2(4) of the U.N. Charter. All relevant contextual factors need to be considered, and the mere acquisition of weapons or demonstration of capacity (moving troops or ships) may not themselves be sufficient to constitute threats. As suggested by the Independent International Fact-Finding Mission on the Conflict in Georgia (IIFFMCG), however, if manifestations of force “are non-routine, suspiciously timed, scaled up, intensified, geographically proximate, staged in the exact mode of a potential military clash, and easily attributable to a foreign-policy message, the hostile intent is considered present and the demonstration of force manifest.”

In examining threats of force, international law focuses more on an objective approach. That is, even if the existence of a signaled intention to use force lies at the core of the assessment, that assessment can be conducted by reference to objective manifestations of such intent. Importantly, a crucial element in the examination of a threat of force is its credibility. According to the IIFFMCG, it is enough for the threat to create “a calculated expectation that an unnamed challenge might incur the penalty of military force within a dispute.”

The international legal community thus has a good sense of the relevant legal criteria for threats of force in the kinetic context. In the context of the conflict in Georgia, the IIFFMCG considered a number of Georgian actions, including its launching of air surveillance over the Abkhaz conflict zone in spring 2008, its participation in repeated exchanges of fire in South Ossetia, and its engagement in a comprehensive military buildup with the assistance of third parties, including acquiring modern weaponry. How might such criteria extend to cyberspace? These criteria suggest, first, that the intelligence-gathering aim of a digital operation and the legality of espionage under international law do not preclude treating gathering of information as a factor in assessing the existence of a threat of force. Second, the acquisition of certain cyber capabilities may be relevant to the analysis. Finally, repetition of conduct matters, a point of particular relevance to cyberspace where cybersecurity experts regularly observe patterns and operational signatures.

One of the defining features of a cyber operation is its polysemous character. Technically speaking, it has always been hard to differentiate an operation that will access and leverage a vulnerability to generate confidentiality losses (like espionage) from those that can degrade or destroy the integrity or availability of data or networks (or the infrastructure the networks support). Hence, discovering a data breach today is no guarantee against a more malicious activity coming in (or already distributed) via the same means. If that malicious activity would itself clearly constitute a use of force, international lawyers must ask if the original cyber operation is itself a threat to use such force. For example, operations targeting water filtration facilities or civilian nuclear power facilities warrant careful scrutiny even if they only exhibit evidence of data breaches.

There are reasons, moreover, to think that particular features of cyber operations may warrant a threat analysis more often than in the kinetic context. The most important rationale has already been highlighted—the polysemous function of cyber operations. The same activity necessary to conduct espionage against a target is necessary to use force against it. At the same time, many cyber operations have, or at least appear to have, much larger footprints than their authors may intend; the breach of Solarwinds, for example, threatened 18,000 users, even if resulting harms were only (publicly) identified in a few hundred. Third, these operations regularly go beyond the acquisition or demonstration of a capacity to its actual deployment. That deployment, moreover, occurs within a state’s networks and systems, a marked difference from troop movements or ships patrolling outside its borders. Assessing the operation as a threat may hinge on the fact that the vehicle for force is already present within the state’s territory. 

Today, states and scholars repeatedly insist that international law governs state behavior in cyberspace even as they struggle (mightily, in some cases) to explain how it applies. So far, however, the discourse has focused on observable “effects” rather than threats. As a result, many (if not most) state-sponsored cyber operations labeled as espionage are treated as beyond the law’s reach (international law having long ignored or exempted acts of espionage). Other debates center on which effects are regulated and how to situate them along a spectrum from armed attacks to uses of force to interventions and (for some) sovereignty violations. The approach we suggest does not attempt to displace any of these important efforts. Rather, it offers an additional regulatory perspective.

A careful consideration of the prohibition on threats to use force in cyberspace is both useful and necessary. It offers a way to reorient the law’s application—to think about the law applying not just to what states do but also to what those actions threaten to do, whether expressly or implicitly. A precise threshold for assessing cyber operations through the lens of threats of force is yet to be fully fleshed out. The goal of this post is more modest—to call on states and other stakeholders to recognize the reality and thus the potential of using Article 2(4) of the U.N. Charter to bar not just uses of force in cyberspace but also threats of such force by equal measure.