Published by The Lawfare Institute
in Cooperation With
If international law intends to regulate state behavior to ensure international peace and security, it must reflect the conceptions of security the states employ that threaten the same, such as threats to use force and armed conflict. Conceptions of security derive from strategic environments, of which three—nuclear, conventional, and cyber—coexist with their own distinct conceptions of security. International law centers on coercive behavior taking the forms of episodic threats or uses of force and armed attacks, behavior that maps to the conceptions of security of the nuclear and conventional environments that threaten peace and security. International law falls short for the cyber strategic environment where the conception of security emphasizes initiative persistence through exploitation, and challenges to peace and security primarily take the form of nonforcible campaigns. For the rule of nonintervention, specifically, to be more relevant in the context of cyberspace, the scope of coercion must be expanded to reflect this conception of security. Recent remarks by the United Kingdom’s former attorney general reflect an important shift in this direction. But it is only a half-step to increased relevance—the concept of countermeasures must also be reconsidered in light of initiative persistence through exploitation.
The Structural Imperative and Security Logic of the Cyber Strategic Environment
Core characteristics of the cyber strategic environment produce a structural imperative for persistent exploitation. This structural imperative, vice strategic choice, underpins a conception of security (referred to hereafter as security logic) that rests on anticipating the exploitation of one’s own vulnerabilities, leveraging the capacity to exploit others’ vulnerabilities, and seizing and sustaining initiative in this exploitation dynamic. This security logic of initiative persistence through exploitation, in turn, manifests as cyber campaigns, operations, and activities by and through which states seize opportunities to maintain and advance national interests in day-to-day competition and set conditions to succeed in potential crisis and conflict. States that can sustain initiative persistence can achieve strategic success by inhibiting the consequential gains of opponents or by achieving such gains themselves.
Some states have proved to be adept at cumulating strategic gains in and through cyberspace via campaigns that generate effects that fall short of threats or uses of force but nonetheless threaten peace and security—gains that were, before the advent of cyberspace, achievable only through kinetic coercive and forcible actions. Whereas international law offers forcible self-defense as a remedy for kinetic actions, that remedy provides no recourse to those injured by nonforcible cyber campaigns. To be more relevant in the context of cyberspace, international law must be reinterpreted to align with the security logic of initiative persistence through exploitation.
The Rule of Nonintervention
A strong candidate for reinterpretation is the rule of nonintervention, which declares that coercive intervention in the “internal or external affairs” of other states is an internationally wrongful act. Two conditions must be met to determine a violation of the prohibition. First, it applies only to matters that fall within another state’s domaine réservé. These are matters that international law leaves to the sole discretion of the state concerned, described as the “choice of a political, economic, social and cultural system, and the formulation of foreign policy.” Second, an act must involve coercion. “But what exactly is coercion?” the U.K.’s former attorney general recently asked (rhetorically). If the rule of nonintervention is to be more relevant in the cyber context, coercion must be conceptualized in a manner that reflects the security logic of initiative persistence.
Some observers have conceptualized coercion as referring “to an affirmative act designed to deprive another State of its freedom of choice, that is, to force that State to act in an involuntary manner or involuntarily refrain from acting in a particular way.” Others understand coercive behavior “as pressure applied by one state to deprive the target state of its free will in relation to the exercise of its sovereign rights in an attempt to compel an outcome in, or conduct with respect to, a matter reserved to the target state.” And still others argue that the scope of coercion “must be understood to encompass actions involving some level of subversion or usurpation of a victim state’s protected prerogatives … designed to achieve unlawful gain or to deprive a victim state of a legal right.”
The security logic of initiative persistence is not aligned with these understandings of coercion in that it does not primarily encourage actions intended to deprive a state of free will or choice. Instead, as I’ve argued on Lawfare, states seek strategic gains through actions affecting the political, economic, social and cultural, and foreign policy systems that are freely chosen by states by altering the cyber strategic environment in and through which those systems function. From this perspective, an international obligation is breached when initiative persistence intentionally alters the environment such that freely chosen systems are not functioning as a state intends. The U.K.’s former attorney general makes a related argument, stating that intervention in the context of cyberspace “will be unlawful if it is forcible, dictatorial, or otherwise coercive, depriving a State of its freedom of control over matters which it is permitted to decide freely by the principle of State sovereignty.” The emphasis on freedom of control aligns with my argument by expanding the scope of coercion to include both freedom of choice over and nonforcible disruption of states’ sovereign matters. Coercion, when conceptualized in this manner, accounts for the security logic of initiative persistence. Under this conceptualization, many state-sponsored cyber behaviors that may not be interpreted as internationally wrongful today could be interpreted as wrongful. These could include, for example, disrupting the provision of essential medical or government services or the dispatch of essential medical or disaster response and transport services; causing the energy supply chain to stop functioning at a national level by damaging or preventing access to pipelines, interchanges, and depots; or preventing the operation of power generation infrastructure.
Conceptualizing coercion in a manner that aligns with the security logic of initiative persistence through exploitation makes the rule of nonintervention more relevant in the context of cyberspace. But it only represents a half-step to relevance; countermeasures must also reflect the security logic of initiative persistence.
When a state is injured by the internationally wrongful actions of another state, international law permits it to respond with self-help, including countermeasures. Countermeasures are acts that would, in general, be considered internationally wrongful but are justified when used to induce cessation of a state’s ongoing violation of international law. Some experts argue that countermeasures are poised to play a growing role in interstate relations as states increasingly employ cyber campaigns to maintain or advance their national interests. This is likely only if countermeasures are reinterpreted to reflect the security logic of initiative persistence through exploitation.
The application of countermeasures is subject to limitations and conditions to ensure they are kept within “generally acceptable bounds.” They must be nonforcible, proportionate, and directed against the responsible state. As they are taken with a view to inducing cessation of an internationally wrongful act (and not by way of punishment), they must be temporary in character and be, as much as possible, reversible in their effects in terms of the future legal relations between the two states. Although the injured state intending to take countermeasures should notify the offending state and offer to negotiate, the injured state may take “urgent countermeasures as are necessary to preserve its rights,” even before any notification of such intention.
Countermeasures are defined as a nonforcible coercive remedy intended to alter the strategic calculus of the offending state, causing it to cease its offending behavior. In light of the security logic of initiative persistence, two distinct issues arise: first, the utility of state cyber actions as a coercive instrument and, second, the limitation directing countermeasures only against the offending state.
States coercively applying nonforcible instruments of national power under the guise of retorsion (unfriendly but not unlawful state actions), including economic, diplomatic, and cyber actions, generally have a poor track record in altering the strategic decision calculus of others engaging in either internationally wrongful behavior or unfriendly behavior, including disruptive cyber campaigns. Additionally, the cyber instrument itself is understood by most scholars to be a weakly coercive state instrument. It is unlikely, then, that nonforcible cyber countermeasures would induce cessation of nonforcible internationally wrongful cyber campaigns.
An interpretation of countermeasures that accounts for the security logic of initiative persistence would consider countermeasures as otherwise unlawful acts that preclude or limit the opportunities or otherwise constrain the internationally wrongful behaviors of states that are acting on the cyber structural imperative to persist but are doing so in ways that violate international law. The concept of “otherwise constraining” could include, for example, cyber campaigns directed against the offending state that cause friction or put “sand in the gears” of its cyber apparatus with the objective of disruption vice cessation. What has received less attention is the notion of cyber countermeasures as acts that preclude or limit opportunities for offending states to continue internationally wrongful behaviors in and through cyberspace. Distinguishing between these two tracks is the operational approach. The first is directed against the offending state’s cyber apparatus; the second is directed against cyber terrain upon which the success of the offending state’s campaign relies, terrain over which nonoffending states likely hold jurisdiction. This second track is where the existing limitation on countermeasures being directed against the offending state comes to the fore. To serve as an effective remedy for the cessation of an internationally wrongful cyber action, both tracks must be available to states wanting to employ cyber countermeasures. Thus, an exception to the limitation directing actions only against the offending state is needed for the context of cyberspace.
A review of two U.S. Department of Justice domestic efforts (a response to China’s Hafnium campaign and anticipation of a threat from Russia’s Cyclops Blink malware) can offer insight into how this exception could support cessation, as those two efforts successfully precluded and limited the opportunities for threat actors. Further, highlighting the specific operational characteristics of those efforts allows for a consideration of the operational approaches as models for countermeasures in a hypothetical international context.
Precluding and Limiting Opportunities—Domestic Exemplars
In early 2021, Chinese state-sponsored cyber threat actors (Hafnium) exploited zero day vulnerabilities in the Microsoft Exchange Server software, which are collectively known as ProxyLogon, and placed web shells (pieces of code or scripts that enable remote administration) to ensure continued access. After Microsoft disclosed the intrusions and issued a patch, other threat actors, including ransomware groups and crypto-mining gangs, began exploiting the web shells to install their own malware. Approximately 68,500 servers worldwide were compromised, impacting over 21,000 organizations. In February 2022, the Cybersecurity and Infrastructure Security Agency published a joint advisory on Cyclops Blink malware with the FBI, the National Security Agency, and the U.K.’s National Cyber Security Centre, which targeted network devices manufactured by WatchGuard and ASUSTek Computer. Prior to the release of the advisory, the FBI had identified “hundreds” of compromised devices in the United States serving as part of a far larger botnet.
The Justice Department’s approach to mitigating these threats centered on precluding or limiting the threat actors’ opportunities for leveraging the proliferating web shells and botnet. Assessing this approach against the limitations and conditions of countermeasures offers insights into the promise and challenges of adopting a similar approach for countermeasures.
In both exemplars, the first public action taken by the FBI, in conjunction with other actors, was a public awareness campaign highlighting the threat, including published advisories regarding the offending actions. Subsequently, vendors publicly released detection and remediation tools, which resulted in an “exponential” drop in opportunities for the threat actors. The FBI then sought to contact parties whose systems or devices remained compromised, including thousands impacted by the Hafnium breach and hundreds by the Cyclops Blink malware, to inform them that mitigation action was needed. These efforts further reduced opportunities for threat actors in both cases—down to 7 to 9 percent of the original opportunity set. Weeks after launching the public awareness campaigns, the FBI executed court-authorized warrants, with delayed notice, to eliminate remaining opportunities from compromised systems and devices. Finally, all parties who were subject to the warrant were notified by the FBI or another party.
To eliminate the remaining opportunities for Hafnium and piggy-backing threat actors, the FBI copied and then deleted the web shell from all U.S.-based systems that remained compromised, according to its public scan. The operation only copied and removed the web shells; it did not patch any Microsoft Exchange Server zero day vulnerabilities, thereby avoiding any potential system disruptions that patching might cause. Prior to the operation, the FBI conducted a technical evaluation of the code, an internal test, and a related briefing to an outside expert to ensure the code would not adversely affect the systems and Microsoft Exchange Server software running on such systems.
Eliminating Russia’s remaining opportunities required a different operational approach. After identifying a number of command and control (C2) firewall devices supporting the Cyclops Blink botnet, the FBI executed a warrant for U.S.-based devices to retrieve data from the devices (pointing to other C2 devices), remove the malware from the devices, and block remote access to the devices’ management panels. These actions neutralized Russia’s ability to further access the devices or reconstitute the botnet. The FBI’s change to the firewall rules to prevent access to the management panel did not otherwise affect the functionality of the compromised devices. Additionally, the change was “nonpersistent,” meaning that “any compromised device owner can delete or change the rules or can restart the device to restore the configuration that allowed for the compromise.”
An Argument for an Exception
The domestic exemplars make a clear and powerful argument that self-limited cyber operations can successfully preclude or limit cyber threat actors’ opportunities to sustain their malicious behaviors. To extract value from these exemplars in regard to countermeasures, a state needs to consider the operational approaches in an international scenario such as the following: A state has violated the rule of nonintervention using cyber ways and means; the state is continuing to violate the rule through an ongoing act or composite act (series of operations); the injured state demands that the offending state cease its internationally wrongful actions; the injured state intends to apply countermeasures that preclude or limit the offending states’ opportunities for sustaining their actions; and those opportunities reside on networks, systems, and devices located in states other than the offending state.
The self-limited character of the operational approaches would satisfy countermeasures’ limitations of being nonforcible, proportionate, temporary, and reversible. Further, the delay in notice would not violate the condition of notification, as numerous international law scholars and states agree that the requirement to inform a state in advance of cyber countermeasures would likely nullify their intended effect. The key difference between the domestic exemplars and this international scenario is that the actions affecting nonoffending actors in the former were authorized by court-approved warrants, whereas, in the latter, “otherwise unlawful” actions affecting nonoffending states would be permissible only if, within the context of cyberspace, an exception is made to the limitation that countermeasures be directed only against the offending state. To discourage abuses of this exception, perhaps a condition ought to be that the injured state, after providing notice to the nonoffending states, provides copies of the evidence it has gathered through its operation as well as the Internet Protocol addresses from where the evidence was gathered so that the nonoffending states can determine if the operational effects should be permanent or temporary and whether or not the affected network, system, and device owners should be contacted.
Where Matters Stand and What’s Left to Do
Although states agree that international law applies in the context of cyberspace, they have been cautious in declaring opinio juris regarding how it applies. The Rosetta stone for this task is the security logic of initiative persistence through exploitation (this also holds for cultivating cyber norms). Ensuring that logic is accounted for in the scope of coercion as referenced in the rule of nonintervention is an important step toward making international law more relevant in the context of cyberspace. Unfortunately, the U.K. is the only state that has publicly offered remarks hinting at a recognition of this important step. Matters are even worse for countermeasures, as no state has publicly offered remarks recognizing the need for an exception to the limitation that countermeasures be directed only against an offending state.
These are a few of the key ways to make international law more relevant in the context of cyberspace. I say more relevant because, in spite of the lack of progress described above, a review of states’ practices and opinio juris regarding sovereignty in the context of cyberspace indicates that some states are acting and expressing obligations in ways that align with the security logic of initiative persistence through exploitation. Notably, a review of opinio juris reveals that, for some states, the self-limited character of the previously described operational approaches would certainly not, or likely not, be “otherwise unlawful,” thereby obviating the need to frame them as countermeasures. This includes the U.K., the U.S., Canada, Germany, and New Zealand. Further, the Czech Republic, Norway, and Sweden detail several types of cyber operations that would constitute a violation of sovereignty, none of which describe the operational approaches. This progress regarding sovereignty should not discourage states from pressing forward regarding a reinterpretation of nonintervention and an exception for countermeasures. Instead, it should serve as an indication that international law can be made more relevant in the context of cyberspace by ensuring that it accounts for the security logic of initiative persistence through exploitation. A next step is to make cyber countermeasures more robust through additional exceptions that further account for the security logic of initiative persistence, including exceptions for actions directed against non-state offending actors and collective and anticipatory countermeasures.