Much Ado About Nothing

[Enrico Benedetto Cossidente is an Italian Army officer and legal advisor specialized in international law and security issues. He is a PhD candidate at Ghent University. He writes in his personal capacity. The views expressed are those of the author and do not reflect the views of the Italian Army, the Ministry of Defense or the Italian Government. Twitter: @falleninlaw.]

The recent cyber-operation against a US company named SolarWinds brings us again at the forefront of international cyber law and the importance of words. I will analyze what politicians and international law scholars are discussing in these days and how all of this is evidence that a Tallinn Manual 3.0 is needed, but will not give any definitive answer to the issues that still involve international (cyber) law.

The politicians

The Hill published an interesting article that summarizes some first responses by US politicians to this act. It is striking as their positions do no align with past actions conducted by the US Government in cyberspace and do not reflect international law. Sen. Dick Durbin’s statement that “[t]his is virtually a declaration of war by Russia on the United States and we should take that seriously” reminds us of the comment of late Sen. John McCain calling the Russian actions during the 2016 Presidential election “an act of war”. Although declarations of war are in disuse they still are part of international law and require some formalities (like a “previous and explicit warning” required by the Hague Convention (III) art. 1) that a covert cyber-operation does not fulfil. The cited article reports that Sen. Mitt Romney “compared the incident to Russian bombers ‘flying undetected over the entire country’ and harshly criticized Trump for not doing enough to counter the attack”. The reference to a pre-satellite era of overflight spy planes brings us to the famous 1960 U-2 incident and subsequent discussion between the US and the USSR on the issue (see here). President Eisenhower stated at the time that intelligence activities were “a distasteful but vital necessity” and that the US did not use its armed forces “for this purpose, first, to avoid any possibility of the use of force in connection with these activities and, second, because our military forces, for obvious reasons, cannot be given latitude under broad directives but must be kept under strict control in every detail” (News Conference Statement by the President, May 11, 1960 – emphasis added). So with his comparison Sen. Romney indirectly admitted that there was no ‘attack’ in the military (and legal sense) and that the intrusion was an intelligence operation. Therefore President Trump cannot “counter the attack”. Sen. Angus King was quoted saying that “[n]o response is not appropriate, and that’s been our national policy by and large for the past 10 or 15 years,” which is incorrect to say the least. One example might suffice: the Obama administration reacted to the 2016 interference by Russia with economic sanctions, the expulsion of Russian diplomats and conducted covert cyber-operations against Russia. The problem is not a political but a legal one. In that occasion the US government could only commit to retorsions as countermeasures (acts normally illegal but justified if used to bring another State to compliance with international law) were not legally possible.

One of the few who defined the event as espionage was Rep. Mike Gallagher whom slipped immediately on a banana peel by saying that “those responsible [should] feel pain in response to this intrusion”. Intelligence operations are not illegal under international law and the US National Security Agency (NSA) even conducted them against allies. It seems a bit strange that there is all this excitement by US politicians on this event when as early as 1999 a Department of Defence “Assessment of international legal issues in information operations” stated that “[i]nformation operations activities are more likely to fall within the category of peacetime espionage. Perhaps more importantly, the reaction of the world community to information operations that do not generate widespread dramatic consequences is likely to be very similar to its reaction to espionage, which has traditionally been tepid” (emphasis added).

One assertion of The Hill article (that we can find elsewhere) needs particular attention. The alleged North Korean hack and destruction of Sony Pictures data was not a State on State action but an operation conducted by a State against a private company. So to imply that this event is a “hit by a nation state” against the US is wrong. Clearly the intentions behind it (silence free speech) go against one of the most important constitutional values of the US but not against international law per se. In this case as well the US reaction was economic sanctions that although legal are difficult to understand as North Korea interfered with the operation of a major film studio corporation and not with government entity, unless someone defines Hollywood as part of the US critical infrastructure.

Differently from politicians current and retired government officials agree that this was a “successful espionage operation” and not a cyber-attack.

International law scholars

Professor Jack Goldsmith published an interesting article on the issue and received an in depth reply by Professor Ryan Goodman via Twitter. As foreseeable I agree and disagree with both at some level.

Let us start with what I do agree with. As already anticipated I agree with them that this was an espionage act and not an attack and does not require a military reaction. Intellectual honesty would require admitting that what happened to the US was also done by the US to others before.

Now to what I do not agree with. I will follow Prof. Goodman’s comments on Prof. Goldsmith’s article for consistency.

“Jack argues that USG’s aggressive disruption of Russia’s Internet Research Agency (IRA) in 2018 opens door to other countries’ engaging in similar disruptive actions against US for espionage. But that erroneously conflates IRA’s actions with espionage”.

I disagree with Prof. Goodman. Prof. Goldsmith stated that the additional measure allowed to US actors in cyberspace behind intelligence is “disruption of the adversary system”. This means that US and in the future other States could disrupt a system “following extended espionage” (emphasis added). The additional task may occur beyond the intelligence gathering and it would not be in itself, according to Goldsmith, intelligence. I do agree with this assertion but the fear that is purported in Prof. Goldsmith’s article is merely theoretical and excessive in light of what we publicly know of the operation against SolarWinds. As one expert stated “we have no evidence yet that any information has been deleted, destroyed, manipulated or modified”. This would prove that Russia did not align itself to the conduct of the US Cyber Command against the IRA. Assuming that Russia was behind this act an idea President Trump disagrees with.

“The Internet Research Agency was engaged in election interference (not simple espionage). The IRA’s actions may be said to violate international law – legally justifying US disruptive cyber actions in response”.

I vigorously disagree. If one takes the sovereignty/non-intervention approach as explained before the recent US practice did not follow it and rightly so as there are still discussions on the absence of coercion (see ICJ Nicaragua case para. 205) in election interference (see Prof. Michael Schmitt here, here and here). So this leaves countermeasures out of the picture.

If we take the self-determination approach presented by Prof. Jens Ohlin then the Russian action during the 2016 might have violated international law because in the election process opinions where disseminated by external actors that posed as internal ones thus violating the US citizens right to choose autonomously (self-determining) their leaders. Prof. Ohlin position is that a response can happen through domestic and international law regulation thereby leaving a cyber counter action outside the picture.

The position of Prof. Goodman on the legality of such action seems to follow a jus ad bellum paradigm (preemptive self-defense maybe?) that the above-mentioned approaches exclude from the beginning stating that election influence is not a military action.

I will not get into the deterrence comments by Prof. Goodman as it is my understanding that they relate to international relations more than law. But it seems appropriate to mention Prof. Schmitt’s opinion on the matter as one of his articles is cited by Prof. Goodman in his tweet:

“[i]n the absence of a rule of sovereignty (or even in the presence of a rule but with a high threshold for what type of cyber activity constitutes a sovereignty violation, as in limiting violations to operations that cause physical damage), States will generally be free to implant harmful malware in the private or public cyber infrastructure of other States so long as the immediate consequences of the operation are not […] extremely severe. It does not matter whether the operation is inspired by deterrent purposes or is malevolent” (emphasis added).

Finally, does #SolarWindsHack violate international law? It’s a more difficult question than some have suggested. The scale and form of the operation are compromising the ability of critical USG networks to communicate including in nuclear sector. A violation of sovereignty?

The question does not appear to be so difficult from what we know right now. There was an infiltration, information was gathered, data was not modified/destroyed and malware, if implanted, was not ‘activated’. There has been a widespread and effective intelligence operation conducted by a foreign State against the US. Disappointing, negative, showing that something did not work properly but so far I did not violate international law.

The second assertion refers to scale and form (scale and effects?) of the operation. Firstly not everyone agrees (Prof. Ohlin) on the way the scale and effects approach was written in the Tallinn Manual (both versions) rule on the definition of use of force. Secondly no one is able yet to define the magnitude of the hack (here, here and here) although everyone agrees there has been a modification of SolarWinds program code that only FireEye (a cybersecurity company) discovered. The FireEye threat research states that the malware called SUNBURST “[a]fter an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity”. FireEye later on reports that the malware abilities are run tasks, delete tasks, write files and delete files. All this is evidence of a threat that, unless proven otherwise in the future, did not happen as those who implanted the malware did not use their power to modify and/or destroy data. In addition those affected by it did not experience malfunctions (no nuclear reactor melted, yet). Therefore I cannot agree that the operation affected US critical infrastructure in a way that could justify the violation of US sovereignty. Even if we take Prof. Goodman’s view there are some methodological flows. In the first place there is no agreement on it as the Tallinn Manual 2.0 points out “no consensus could be achieved as to whether, and if so, when, a cyber operation that results in neither physical damage nor the loss of functionality amounts to a violation of sovereignty”. In the second place such an approach would imply that US should not only admit to have conducted the same type of operation against others in the past but also that it has violated international law by doing so. The Trump administration notwithstanding, I honestly cannot believe in the US being so candid.

Conclusions

The SolarWinds affair is espionage confirming that cyber-operations are not acts of war and do not need a military response. It also shows the need for scholars to engage in a Tallinn Manual 3.0 and exposes the shortcomings of States about their interpretation of international law. The statements of States on cyber-operations are not always coherent, sometimes are relegated to Defense Ministries (see here and here) and too often support a jus ad bellum approach to a matter that often involves intelligence.

I will conclude by referring to a statement in The Hill article by Theresa Payton, White House chief information officer during the George W. Bush administration, “[i]f somebody flew a plane into our airspace, a military plane, we have an international accord for that, and we don’t really have that for the digital domain”. Aside from the explicit militarization of cyber by using the military plain analogy, one could agree that if States wanted to reduce tensions and escalations in the cyber domain they could agree on some basic principles to control each other in cyberspace as they do with the Open Skies treaty (that the US left but might rejoin in the future). Nevertheless these all much known facts and issues (we will soon have a third edition (!) of a manual on the topic) and as it happened in the past States are not ready yet to renounce to such a cheap and useful tool of statecraft leaving us to discuss much ado about nothing.