Deterring the Next Invasion: Applying the Accumulation of Events Theory to Cyberspace

[Michael McLaughlin is a cybersecurity attorney and policy advisor in the Washington, D.C. office of Baker, Donelson, Bearman, Caldwell & Berkowitz, P.C. He is the former senior counterintelligence advisor for United States Cyber Command and a research affiliate for the Applied Research Laboratory for Intelligence and Security. He holds a Bachelor of Science from the United States Naval Academy and a juris doctorate from the University of Maryland School of Law.]

After years of conducting destabilizing activities worldwide with impunity, Russian forces crossing the Ukrainian border proved to be a bridge too far. With a firm and united hand, the international community is finally pushing back against Russia’s brazen hybrid war. Nations, global corporations, and hacktivist groups have all turned their sights on Moscow, landing significant blows to the Russian economy that will reverberate for years to come.

After a year of open warfare in Ukraine, the world must ask: why did it take a military invasion of a European nation’s sovereign territory to stir the world to action? Russian aggression in Ukraine is merely the kinetic expression of the types of malicious activities the Kremlin has been orchestrating for over a decade in cyberspace. As the crisis in Ukraine continues its sprint towards chaos with increasing entropy, the question must be asked: what could the international community have done differently, and—more importantly—how can international law be applied more effectively address patterns of irresponsible behavior going forward?

Russia’s Hybrid War

Russian cyber actors are most adept at exploiting the digital grey-zone of international law—the area below the level of armed conflict where traditional rules and principles do not apply clearly to the cyberspace domain. For years, Russia has injected ambiguity into the legal analyses of other nations. This ambiguity has caused delay or failure by victims to respond for fear that any use of force in self-defense or as a countermeasure might itself be viewed as a violation of international law. As a result – despite sanctions, indictments, and public attribution for numerous intrusions – Russia’s malicious cyber activities have continued unabated.

Russia has been able to freely execute its brand of hybrid warfare because the international community failed to levy a consequence sufficient to alter the risk calculus of aggressor states conducting malicious activities in cyberspace. In other words, international law has yet to make the juice of cyber-enabled malicious activities no longer worth the squeeze. The result of this legal inadequacy is the present chaotic spiral where nation-state conduct and escalatory responses have created a global digital warzone wherein the line between combatant and non-combatant ceases to exist. Without legal deterrence, the spiral will only broaden as developing nations and non-state proxies harness cost-effective cyber alternatives to conventional military capabilities. 

To effectively deter cyber-enabled malicious activities, the global community must reimagine how international law applies to cyberspace. While individual cyber operations may be strategically framed to stop short of a “use of force” or an “armed attack,” the consequences of the totality of an aggressor state’s campaign of malicious cyber activities can have far-reaching impact on the peace and security of the international community. The cyber campaign undertaken by Russia’s Main Intelligence Directorate (GRU) Sandworm Team provides a case in point:

In October 2020, a Pennsylvania grand jury returned an indictment charging Russian cyber actors for deploying “destructive malware and tak[ing] other disruptive actions, for the strategic benefit of Russia, [including] cyber-enabled malicious actions aimed at supporting broader Russian government efforts–regardless of the consequences to innocent parties and critical infrastructure worldwide – to undermine, retaliate against, or otherwise destabilize: (1) Ukraine; (2) the country of Georgia; (3) France’s elections; (4) efforts to hold Russia accountable for its use of a weapons-grade nerve agent on foreign soil; and (5) the 2018 Winter Olympics[.]”

The Sandworm Team’s individual operations were designed to brush against the threshold of armed conflict without clearly breaching it, preventing the international community from legally responding to any individual act with force sufficient to forestall Russia’s continued malicious activity. The immediate result of this inaction was Sandworm’s deployment of NotPetya–considered the most damaging cyberattack in history with damages surpassing $10 billion. The long-term effect of the international community’s neutered response was the Kremlin’s belief that the global community would fail to muster more than a similarly muted response to a full-scale invasion of Ukraine.

Considering the destabilizing effect Russian aggression has on the international community, international law must evolve to address not just individual actions, but campaigns of cyber-enabled malicious activities. Such an evolution would afford victims the ability to aggregate the consequences of multiple breaches conducted by a single aggressor to most effectively defend themselves.

Aggregating Consequences

The principle of aggregation is well understood when applied to other areas, such as criminal law. For example, an individual who follows his co-worker home on a single occasion may draw the co-worker’s ire, but likely would not violate a criminal statute. If the individual continues to follow his co-worker home on multiple occasions after having been asked to stop, he might be liable for harassment. If the individual follows his co-worker home on multiple occasions, makes threatening comments, and generally instills a reasonable fear of bodily harm in his co-worker, the aggregation of individual wrongful acts could elevate the actions to the crime of stalking. This is called normative aggregation, and it occurs where two or more claims – the individual normative weights of which are insufficient to establish liability–are aggregated, and the combined weight of all claims is sufficient.

When applied to malicious cyber activities in the context of international law, normative aggregation may be appropriate where a series of acts can be attributed to a single State. As with normative aggregation in domestic criminal law, individual malicious cyber activities do not have to constitute a standalone wrongful act if, in the aggregate, the consequences of state action constitute a breach of an international obligation. Under international law, this theory of aggregation is called the Accumulation of Events Theory, or Nadelstichtaktik (needle prick).

During the 1970s, Israel invoked Nadelstichtaktik to justify its bombardment of Palestine Liberation Organization (PLO) strongholds in Lebanon as being in response to a series of small-scale attacks by the PLO.  Under Israel’s theory, though each individual act of terrorism by the PLO may not have risen to the level of armed attack triggering an Article 51 right to self-defense, the sum of the combined consequences of the campaign of terrorist attacks crossed that threshold. The primary thrust of this theory is that the actions taken in self-defense to a series of wrongful acts should not be judged through the limited scope of an immediate response to an isolated attack; rather, the actions should be viewed as a response to the total consequences. 

For Israel’s claim, the Security Council refused to aggregate the PLO’s series of attacks and deemed Israel’s actions to be in violation of international law.  Conducting a strict reading of the language of Article 51, the Security Council could only scrutinize Israeli action taken in response to particularized attacks by the PLO.  However, in 2002, the U.N. adopted the Articles on Responsibility of States for Internationally Wrongful Acts (ARSIWA), which asserts that a “breach of an international obligation by a State through a series of actions or omissions defined in aggregate as wrongful occurs when the action[,] . . . taken with the other actions or omissions, is sufficient to constitute the wrongful act.”  This resolution gives significant support to the application of the Accumulation of Events Theory.

Legal Options for Cyber Deterrence

Unfortunately, there exists limited opinio juris or customary international law to assist in determining whether normative aggregation of the consequences of cyber operations can be used to establish a predicate for self-defense options or countermeasures. However, since the mass adoption of the Internet worldwide – and certainly since Israel’s failed Nadelstichtaktik claim, the types and scale of belligerent actions that are executed in the digital-grey zone of international law continue to increase significantly. As evidenced in multiple International Court of Justice (ICJ) rulings and enshrined in the ARSIWA, a general rule has coalesced regarding the aggregation of actions under international law. Where there exists a series of connected acts which are cumulative in nature and attributable to a State, a breach of an international obligation occurs when the combined consequences of the acts are sufficient to constitute an internationally wrongful act. Whether the internationally wrongful act constitutes an armed attack depends on the scale and effect of the consequences.

To this end, the ICJ has provided a patchwork of guidance by implication from which a framework may be discerned. In Nicaragua, the ICJ indicated that when determining the existence of an armed attack, “customary international law continues to exist alongside treaty law. The areas governed by the two sources of law thus do not overlap exactly, and the rules do not have the same content.”  The Court further explained that there exist varying degrees of uses of force, not all of which constitute an armed attack.  In ruling on Nicaragua, the ICJ analyzed whether incursions by Nicaragua “singly or collectively” amounted to an armed attack.  Ultimately, the Court found the information provided to be insufficient to make a determination.  Similarly, in the Oil Platforms case, the ICJ analyzed whether an Iranian attack, “either in itself or in combination with the rest of the ‘series of. . . attacks’ cited by the United States can be categorized as an ‘armed attack’ on the United States justifying self-defence.”  Ultimately, the ICJ ruled that Iran’s actions, “taken cumulatively . . . do not seem to the Court to constitute an armed attack on the United States, of the kind that the Court, in the case concerning Military and Paramilitary Activities in and against Nicaragua, qualified as a ‘most grave’ form of the use of force.” 

To invoke the right of self-defense by aggregating the consequences of multiple cyber-enabled malicious activities, the ICJ provides insight into several key notions:

First, uses of force are governed by the UN Charter and other treaties, as well as by customary international law. “[L]aws on the use of force can be interpreted, re-interpreted, or even superseded by subsequent State practice pointing to emerging customary international law.”  This allows for some flexibility in the evolution of the right to self-defense due to advancements in the use of cyberspace for both warfare and statecraft. 

Second, the gravity of different uses of force is a spectrum, with the “most grave” form consisting of armed attack.  While the gravest forms of the use of force would, by definition, trigger a right to self-defense (or collective self-defense), less grave forms may be aggregated if the individual actions are connected temporally and causally and have a common source.  

Third, it is not required that actions being aggregated consist solely of uses of force.  The Court in Nicaragua pointed to the Declaration on Principles of International Law concerning Friendly Relations and Co-operation among States to describe actions that may constitute less grave uses of force.  The resolution is a far-reaching statement on international norms, and includes principles such as: “the duty to refrain from the threat or use of force to violate the existing international boundaries of another State[;]” “the duty to refrain from organizing, instigating, assisting or participating in acts of civil strife or terrorist acts in another State[;]” and that all States have “an inalienable right to choose its political, economic, social and cultural systems, without interference in any form by another State.”  However, the consequences of accumulated acts must still reach the de minimis threshold of armed attack in order to satisfy the UN Charter’s requirement for invoking the right to self-defense.  

Finally, proportionality of actions taken in self-defense must not surpass that which is necessary to forestall the cumulative effects or the continuation of the individual wrongful acts. 

The foundational test for when a cyberattack constitutes an armed attack triggering a right to self-defense is whether the consequences are comparable with those resulting from a kinetic weapon. To aggregate the cumulative effects of cyber-enabled malicious activities that do not individually reach this threshold, the consequences and actions must be causally and temporally related and attributed to a single source. The accumulation of events begins with the first identifiable wrongful act in the series and continues until the activity ceases.  Any action taken in self-defense must be both proportionate and necessary to the effective exercise of self-defense.  In responding to cyber-enabled malicious activities, proportionality and necessity are predicated on that which is required to affect either the ability or the will of the nation in violation to continue its wrongful actions.

Conclusion

Despite the understandable reluctance by States to respond to cyber activities with what might constitute a use of force, it is crucial for global leaders to be reminded that international law was not intended to be a suicide pact.  States are expected to enforce international obligations by inflicting an adequate punishment for violations of international law. It is therefore incumbent upon nations to enforce the guiding principles underpinning the international community where there exist grey zones consistently being exploited at the expense of international peace and security.

Malicious cyber activities by states such as Russia persist because their leaders perceive there to be an insufficient risk of blowback. To this end, Russia has consistently tested legal boundaries for signs of resistance and, finding none, has proceeded to execute increasingly unrestrained cyber-enabled malicious activities against nations and organizations worldwide. And Russia’s blueprint is being followed by Iran and North Korea, amongst others. It is impractical for the international community to hope for a change in this strategy. To remedy the failure of international law and adequately deter and punish egregious campaigns of cyber-enabled malicious activities requires that States be able to respond with something more than retorsion. The application of the Accumulation of Events Theory to such campaigns might reshape the calculus of other nations seeking to execute Russia’s brand of low-intensity cyber warfare.