U.K. Outlines Position on Cyberattacks and International Law

On Wednesday, British Attorney General Jeremy Wright delivered public remarks titled "Cyber and International Law in the 21st Century.” This unilateral move marks an important step by states in developing and defending interpretations of existing international frameworks as applied to cyber. It will take a long time to cultivate strong international consensus on such interpretations, but even in the absence of new agreements, statements like these help show that cyberspace need not be “lawless.”

In 2017, Attorney General Wright made similar public remarks titled “The Modern Law of Self-Defence.” A major theme of that speech was how 9/11 and subsequent events catalyzed adaptation of international legal principles of self-defense to deal with nonstate terrorist threats. Here, he again emphasizes that international law can only be effective if it adapts to the strategic imperatives of states. There are many important points in the U.K. speech, which will require careful parsing.

Until now, the U.S. government had gone much farther than any other state in articulating its position on cyberattacks and the U.N. Charter, as well as the application of the law of armed conflict to cyber-operations in war. The most detailed—although still pretty spare—articulations include former State Department Legal Adviser Harold Koh’s 2012 remarks, State Department Legal Adviser Brian Egan’s 2016 remarks, the U.S. government submissions to the U.N. Group of Governmental Experts in 2015, and the Department of Defense Law of War Manual.

Among the most important conclusions from those U.S. government statements are that some cyberattacks, though carried out through digital means rather than kinetic violence, could cross the U.N. Charter’s legal thresholds of “force” or “armed attack,” thereby justifying armed self-defense.

The U.K. position now takes a similar line: “[T]he UK considers it is clear that cyber operations that result in, or present an imminent threat of, death and destruction on an equivalent scale to an armed attack will give rise to an inherent right to take action in self-defence, as recognised in Article 51 of the UN Charter.”

After giving the same hypothetical examples that the U.S. government often gives—causing a nuclear meltdown or taking down air traffic control systems with lethal results—the U.K. statement adds: “Acts like the targeting of essential medical services are no less prohibited interventions, or even armed attacks, when they are committed by cyber means.”

The U.K. position also briefly tackles the hot issue of political or electoral interference through cyber operations. Among other things, the U.N. Charter prohibits:

the use by a hostile state of cyber operations to manipulate the electoral system to alter the results of an election in another state, intervention in the fundamental operation of Parliament, or in the stability of our financial system. Such acts must surely be a breach of the prohibition on intervention in the domestic affairs of states.

Here, the U.K. seems to emphasize the doctrine of countermeasures in response, though with an important twist. It says that contrary to a popular view:

we would not agree that we are always legally obliged to give prior notification to the hostile state before taking countermeasures against it. … [W]e say it could not be right for international law to require a countermeasure to expose highly sensitive capabilities in defending the country in the cyber arena, as in any other arena.

The U.K. takes an important position on sovereignty with implications for intelligence and offensive cyber operations:

Some have sought to argue for the existence of a cyber specific rule of a ‘violation of territorial sovereignty’ in relation to interference in the computer networks of another state without its consent. Sovereignty is of course fundamental to the international rules-based system. But I am not persuaded that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention. The UK Government’s position is therefore that there is no such rule as a matter of current international law.

On attribution, the U.K. states that it “can and does attribute malicious cyber activity where we believe it is in our best interests to do so, and in furtherance of our commitment to clarity and stability in cyberspace.” However, “[t]here is no legal obligation requiring a state to publicly disclose the underlying information on which its decision to attribute hostile activity is based, or to publicly attribute hostile cyber activity that it has suffered in all circumstances.”

These are just a few of the many significant issues addressed in this speech, which I’m sure will be the subject of much commentary on this and other forums.

The new U.K. statement, like the U.S. statements before it, may seem unsatisfactory because it leaves a lot of gray area. It is difficult to draw clear legal lines in advance when the formula calls for weighing many factors. These statements leave open questions about the legal treatment of some cyberattacks that do not directly and immediately cause physical injuries or destruction but that nevertheless cause massive harm—for instance, a major outage of banking and financial services—or that weaken our defense capability, such as disrupting the functionality of military early-warning systems. But there is a limit to how quickly these issues can be worked out, so significant gray areas are inevitable, and some incrementalism is warranted here. And while the U.K. statement addresses prohibitions on political interference through cyber means, it doesn’t answer the very difficult question of where that line lies short of directly altering vote-counts. It also doesn’t address the flip side—an issue critical to major non-Western powers—of how these same international law principles apply to states’ efforts to keep their information systems closed to outside influence, including the free flow of information on the internet.

Besides such substantive issues, a big process question is how the U.K. position might catalyze broader diplomatic endeavors to clarify or create rules for cyberspace. Efforts within the U.N. to reach global consensus on these issues have so far failed, mostly because states’ interests are poorly aligned. Expert processes like the one that produced the Tallinn manuals can play useful roles, but they are no substitute for state practice and the articulation and defense of legal interpretations. At a minimum, statements like Wright’s help fill that space and, I hope, may form the basis for further collaboration on international cyberlaw among allies and other like-minded states—an issue I hope to address in more detail once I’ve had more time to digest the speech.