As the recent ransomware attack WannaCry revealed, cyber-attacks are by nature invasive, and can affect every layer of society. As such, only a comprehensive response, involving experts from a wide range of fields, can be effective.
For this reason, every year, NATO, Allies and Partner Nations test their cyber resilience in the world’s largest and most complex international live-fire cyber defence exercise, Locked Shields. This exercise, which is organised by the NATO Cooperative Cyber Defence Centre of Excellence, not only tests the skills of cyber security experts, but also the support they receive from their legal teams, among other specialists.
In 2017 – and for the second year running – the NCI Agency’s team won Locked Shields’ legal challenge.
Cyber operations: a law unto themselves?
In order to defend against malicious cyber operations, organizations must rely on security experts who can immediately defend, deter and repair computer networks under attack. While skilled computer analysts might be able to identify what has happened and trace the attack, further steps cannot be taken without first consulting a lawyer.
The lawyer must analyze the applicable legal regime, and inform the cyber team of the boundaries of their actions. Making an assessment in a short timeframe can be challenging, especially in cyberspace as this requires on-the-spot interpretation of legal rules that were drafted a long time ago.
Depending on the nature and identity of the perpetrator, various legal remedies and frameworks may apply. In case of a local hacktivist group or a group of cyber criminals, legal remedies may involve a combination of international law enforcement measures and/or claims for damages in international private law.
However, if the malicious acts were perpetrated by a State, the victim State could invoke the ‘law of State Responsibility’ and seek remedies under international law.
Moreover, if the malicious cyber operation caused actual damage that amounted to a use of force by another State, it would possibly justify countermeasures or, ultimately, self-defence measures by the injured party. This is why it is crucial for a lawyer to be present at all stages of cyber defence, so that they can properly analyze the facts, and translate them into immediate legal actions in the limited time given.
For example, what can we do if another State hacks into a critical military airbase causing fuel leaks which might later set off fires and explosions? What are the scale and effects of this attack, and what are our options, legally? Are we allowed to use active defence measures beyond our own networks? Can we take countermeasures under international law against that State, in order to end their unlawful act? Or, can we even use force in order to prevent the damage from materializing? Could it even trigger an armed conflict and if so, would that impact the measures we can legally take? What if there is no certainty about the identity of the attackers?
The examples given above were among the many different scenarios that the Agency’s legal advisors had to analyze during Locked Shields. Participants had to provide legal answers within a limited timeframe to add a sense of reality to the exercise. This time pressure emulated the requirements of military commanders and political decision-makers in the conduct of operations. The teams were also assessed on the clarity of their answers.
Cyber-attacks, attribution and the law
The law usually responds to new developments in society, but when these developments arise at the speed of a fibre-optic cable, lawmakers can have a hard time keeping up. While rules governing international operations already exist, many of them have not been interpreted for cyber operations yet. This is why lawyers need to run through contemporary cyber legal matters, and translate existing legal standards to the cyber domain.
Recently-released books, such as the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, try to provide legal guidance, helping organizations interpret existing rules and legal norms in the cyber context. This guidance along with the ongoing analysis provided by lawyers during cyber operations, can ensure that a State’s or an organization’s (re-)actions to cyber-attacks have a legal basis. This in turn creates new customary rules based on state behavior.
It should be noted however that, even though these books provide scholarly guidance and practical tools to deal with cyberspace legal issues, many of the violations have not yet materialized. If they do, States may decide to respond very differently, and suggested legal actions or outcomes may not necessarily be followed by States.
Attribution can also be a source of difficulty during cyber operations. The victim of a cyber-attack has limited legal response options, which can be seriously hampered when the perpetrator’s identity is not clear. Cyber security experts must be able to prove with reasonable certainty that a certain actor is behind malicious cyber operations for the victim State to take certain legal actions.
While the author of a conventional use of force can usually be identified with certainty very quickly, cyber-attacks usually involve techniques that will make it difficult to attribute the attack to a specific State or group. This can effectively prevent the victim State from obtaining the needed legal basis to respond under international law.Therefore, lawyers may need to look at the context of a cyber-attack to determine its nature. For example, cyber-attacks carried out during a conventional conflict will probably be associated with the adversary.
Also, as cyber-attacks are increasingly carried out by groups that only have a loose affiliation to the State where they are located, it is difficult to determine if that State is aware, involved with or even actively supporting the attacker.
If the State concerned refuses to provide assistance in stopping attacks from a group on their territory for example, then the injured party may at some point conclude that this State is either supporting the group or the attack or unable to prevent the attacks from happening. In that case, a legal advisor must determine whether the attack can still be resolved under the applicable law enforcement regime, what the options are under international law, and possibly if it may justify a military response.
Finally, the effects of a cyber-attack may be overestimated initially. What may appear as a major attack may only create minor damages in the long term. For example, a denial of service attack, like the one that occurred in Estonia in 2007, will render websites inaccessible for a certain period of time, but may not cause permanent damage or loss of data. And if the injured party were to retaliate with a military response too quickly, they would run the risk of reacting in a disproportionate, and thus unlawful, manner.
Most cyber-attacks that take place currently, however, do not reach the threshold of an armed conflict. They occur during peacetime. They include malicious activity such as breaking into military networks to steal classified information, espionage, website defacement and denial of service attacks.
Although these attacks may not be legally sufficient to trigger an armed conflict, they do not prevent the victim from taking steps to protect their network and infrastructure, for example by filtering or blocking network traffic coming from certain regions. Defensive measures can also contribute to gathering evidence against an attacker, and using it through international treaties for policing and judicial cooperation.
These examples highlight the need for legal staff to be constantly involved in cyber exercises, so as to simulate real-life decision-making processes, at all (political, operational, public relations and legal) levels. Exercises like Locked Shields help lay bare contemporary legal challenges and solutions and as such, provide deeper insight in the cyber domain.