Legal cyberspaceOlesia Yaremenko 177240IVCMMSc Cyber Security, First YearTallinn University

Legal Aspects of Cyber SecurityProportionality of international countermeasures in cyberspaceOlesia Yaremenko 177240IVCMMSc Cyber Security, First YearTallinn University of TechnologyIntroductionOne might reasonably notice that usually in the case of the existence of some tool, technology, or a technical device, there are multiple ways of how its actual usage might deviate from the purpose it was initially designed for. The vast majority of these deviations would be entirely unlikely, though. But some might be purposefully used in order to achieve objectives other than the original. What’s also important, these deviations might not necessarily aim to harm or bring any other adverse effects to the target. In certain cases, it might be an act of malevolent curiosity or an extrapolation of the ego of the intruder and a demonstration of their capabilities.In the rapidly evolving world of technology, cyberspace already has impact on many aspects of life of the society. With its development, new problems arise both on national and international levels and they need to be solved. Nowadays, it is possible to do so much using cyberspace, and some of the actions of even one person might have an international impact; the cyberspace can easily become a source of inter-state conflicts. Cyber attacks on other states, international cyber operations of different intensity are not just a possibility anymore – they are reality. Several lines of code, a couple of clicks can completely change the way a whole society lives. Such a nature of cyberspace places a lot of pressure on the existing international legal framework. So, the question should be asked – what can and should be considered as proportional countermeasures against attacks in cyberspace, especially on international level? How and when can a state defend itself? How to define if the line is crossed and the countermeasures taken are not proportional to the initial attack anymore?As the topic of countermeasures in cyberspace in general is quite broad, the further discussion would be mostly limited to the countermeasures against the attacks that can disrupt the normal functioning of a whole state, the attacks that might initiate or support inter-state conflicts out of the virtual world, or cause some other issues on global, international level.DiscussionOne of the valuable and recent resources that, among other issues, addresses the problem of proportionality of international countermeasures in cyberspace is Tallinn Manual 2.0, which is an analysis of how international law applies to cyber operations. It reflects the views of 19 members of IGE (“International Group of Experts”), who are experts from all around the world, and several dozens of expert peer reviewers, and not the views of any specific state. However, it doesn’t mean that state views were not considered at all. It is important to note that the positions in the manual are actually positions of one or more participants of the discussions and consultations.The manual is  good reference source for international laws in regards to different forms of cyber operations, states’ rights and responsibilities connected to them. It gives some of the possible interpretations and applications of the laws by the experts, giving the states an opportunity to clarify their laws. This clarification can help to avoid grey zones in the laws regarding cyberspace, which may otherwise be exploited by other states.Among other sources that might be help to find answers to the questions mentioned in the introduction, are some of the articles of the Charter of the United Nations (“UN Charter”) and Draft Articles on Responsibility of States for Internationally Wrongful Acts (“Draft Articles”, “ARSIWA”), that can help to define what are lawful countermeasures and when the rights of a state to self-defence may be exercised.There is a consensus that existing international law applies to cyberspace, even though there are a lot of modifications needed to to be done. What is more challenging is to define how exactly the law applies to cyber operations.The United States has made some progress in it. However, in general, the positions of states regarding this subject are not really made public, which makes them guess the views of others on the legal framework that can be applied.While it is possible to determine this based on specific cyber incidents when they occur, it is also very important to define the framework outside of the specific cyber operations. It should be defined what laws are applicable to the cyber activity that may be defined as a use of force, or that happens during an armed conflict.Activities in cyberspace may in certain circumstances constitute use of force within the meaning of Article 2(4) of the UN Charter and international law. There is a debate, though, regarding how exactly to define what kinds of activity in cyberspace constitute an armed attack, that would implicate a state’s right to self-defense by using force under Article 51 of the UN Charter. Most researchers and experts propose to answer this question on the basis of the effects and impact the activity has on the targeted state, and how it resembles the the actions of military force. For example, if the physical consequences of a cyber attack create the same or similar  kind of physical damage as dropping a bomb or firing a missile does, then cyber attack should equally be considered an armed attack.The rules of conducting attacks must be applied  to the cyber operations that  constitute attacks under the law of armed conflict – for example, they should be directed against military objectives only. All operations should also be in accord with the requirements on proportionality. For cyberspace, it means that the states that are sides of the conflict should assess the effects of operations conducted on both military and civilian infrastructure and users, and take precautions to reduce the risk of harm to civilians and non-military infrastructure. However, the proposal to define armed attacks by the methods mentioned above leaves a lot of activities out, as traditionally the definition of armed attacks focuses on military coercion via conventional weapons, thus excluding almost all forms of aggression conducted by means of cyberspace. Not all cyber operations can be considered attacks under the law of armed conflict. The UN law on the use of force does not contain any rules regarding countermeasures against the use of force below the threshold of an armed attack. The problem is, even if the international community clarified which actions in cyberspace are to be considered on the level of an “armed attack,” a substantial part of hostile cyber activities would remain outside of the laws of armed conflict.However, these unlawful actions can still have disruptive and threatening effects on the targeted state. To determine if an operation is actually an attack, a state should consider the effects of the operation, their scope, and define if there is any connection between the cyber operation and an ongoing armed conflict, if there is one.Also, there is no absolute prohibition existing on the remote cyber operations that involve devices that are located on the territory of another state, so they may be not considered a violation of law. An example of such activities is intelligence collection abroad, which has minimal or no effects on the other state’s territory.  But at the same time, there is a separate question that could be raised, as although some operations may not violate any international laws, they may at the same time violate another state’s domestic law, especially if there’s no prior consent given. How such cases should be regulated? Some may also ask – why does it even matter if the activity is an attack and if it violates international law or not? It matters, because if there is a legal framework accepted by the international community, it would allow to stabilize the cyberspace, provide compliance, and give the states a legal basis to criticize those who violate the standards and come up with appropriate response. Countermeasure is a mechanism of unilateral decentralised self help without application of force, that can be employed by a state in response to an internationally wrongful act conducted by another state, to enforce international law. According to the Draft Articles, countermeasures permit a victim state to temporarily disregard its legal obligations toward the attacker in order to stop its illegal conduct. The legality of countermeasures is based on existence of a prior wrongful act by another state, inability or unwillingness of the attacker to remedy the situation, and proportionality of the measure. These factors would be discussed further below.If talking about the options a state might have to respond to operations in cyberspace, that are not considered an attack under the law of armed conflict, it can respond with any acts that are consistent with the state’s international obligations to influence the behavior of other states. Some examples of these acts are declaring a diplomat from the hostile state a persona non grata, or introducing sanctions against the state. According the Draft Articles, a state may legally deploy countermeasures only under a limited set of circumstances. The countermeasures are considered to be peacetime unilateral remedies, taken outside the context of armed conflict; they are approved for bringing the attacker into compliance with its international obligations, to remedy existing harm, but not to exact revenge.It is also possible for the state to use force in self-defence as a response to an attack, as in certain circumstances it wouldn’t violate international law. The international doctrine regarding countermeasures permits an attacked state to take measures that might otherwise be considered unlawful, if this state is a victim of a wrongful act of another state. In this case, measures can be taken to make the offender to cease the harmful actions and comply with its international obligations. However, the wrongful act should be attributable to the state, as otherwise countermeasures are not available.Cyberspace significantly increases ability to engage in attacks with “plausible deniability” by acting through proxies. And if it later turns out that there wasn’t a wrongful act that made it possible to take countermeasures, or the attribution was not accurate, the responding state may be held responsible for violating international laws, instead. Also, under the laws regarding countermeasures, any response to a wrongful act should only be directed at the offender and be proportional. Basically, the countermeasure should be designed in such a way that would make the offender to comply with its obligations, and stop as soon as the offending state ceases its unlawful actions. So, countermeasures should not be engaged in likely – all circumstances of the activities that may call for the countermeasures should be carefully inspected before the response.The international rules regarding countermeasures also requires the victim to call upon the offending state to comply with its obligations before any countermeasures may be taken. The purpose of the requirement is to give the attacker a notice of the other side’s claim and an opportunity to respond to it, before any other steps are taken. Article 52 of the Draft Articles requires an injured state to make both a “prior demand” that the injuring state cease its wrongful conduct, and an offer to negotiate on the case, before the injured state may properly employ any countermeasures. Also, countermeasures may not be undertaken if the wrongful act has ceased (also mentioned in Article 53) or has been submitted to an international court or tribunal.It’s also important to note that the countermeasures taken in response to unlawful activities in cyberspace may be either cyber-based or non-cyber-based, depending on the decision of the responding state and specific circumstances.The Draft Articles mention two main constraints regarding how countermeasures should be exercised. These constraints are necessity (which  refers to the corrective function of countermeasures) and proportionality. A possible way of measuring proportionality is by establishing a degree of equivalence between the initial attack and the response to it. The proportionality requirement is needed to check how an injured state may use countermeasures to respond to a cyber attack, and is measured in terms of both quality and quantity. The principle of proportionality prohibits attacks that may cause loss of life or injury in regards to civilians, or damage to civilian objects that would be excessive in relation to the anticipated military advantage. When it comes to determining the proportionality of countermeasures, Article 51 of the Draft Articles says that the “countermeasures must be commensurate with the injury suffered, taking into account the gravity of the internationally wrongful act and the rights in question”. From this definition, it appears that both quantitative and qualitative factors relating to the victim state, attacking state, third states and maybe also some individuals that may be affected by the countermeasure should be taken into consideration.Therefore, it is important to identify the purpose of the countermeasure because that is the primary reference against which proportionality should be assessed. Article 49 of ARSIWA defines the next purpose of countermeasures – to induce a State to cease its wrongful activity and/or provide reparation. In case reparation of damage is the objective of countermeasures, then the injury should be used for assessing the proportionality of the countermeasure. If making the offender to comply is also an aim, the countermeasures may potentially involve a higher amount of compulsion when compared to the initial injury.Many experts suggest that so called “reciprocal countermeasures” are a key to ensuring the proportionality of states’ response to cyber attacks. The Draft Articles define reciprocal countermeasures as the “countermeasures which involve suspension of performance of obligations towards the responsible State if such obligations correspond to, or are directly connected with, the obligation breached”. Applying this logic to attacks in cyberspace, a victim state has a right to counter the attacks with the use of responsive cyber-tactics.Even though countermeasures seemingly offer an international legal framework through which states should be able to respond to unlawful activities without employing military force, the current formulations of necessity and proportionality requirements fail to provide adequate limitations when being applied to cyberspace. The  current trends of utilizing reciprocal countermeasures ignore the possibility that they may have very disproportionate consequences under international law. As it seems, the existing laws regarding countermeasures is not ready to take on the challenges that cyberspace already presents to us.In the context of repeated cyber activities, proportionality may be assessed against the cumulative impact of  the operations.  The victim state can use force by way of self-defence if repeated non-intensive cyber operations involving the use of force may cross the threshold of an armed attack when the effect is accesses cumulatively. The proportionality of the self-defence actions should then be assessed against its aim. Yet, even if operations in cyberspace do not rise to the level of an armed attack, a state may react to repeated non-intensive cyber operations through countermeasures proportionality of which should be assessed against the cumulative effect of the prior operations and the aims of countermeasures. Also, because of the fluidity of cyber operations and cyberspace itself, the lack of definite borders and the difficulties in identifying the source of an attack, it has been suggested that reciprocal countermeasures are most suitable and effective in the context of cyberspace – even though they may have their flaws.ConclusionSome may argue that it is counterproductive to make laws as clear as possible, as ambivalence in them gives a chance to find loopholes and use them for defence. However, one shouldn’t forget that by allowing such grey zones to exist and be used, the involved states give others an opportunity to do the same. So, in my opinion, the laws should provide as much clarity as possible, and give the exact rules of conduct, thus stabilizing the international relations and make the interaction more predictable. When states will know what response can be expected as a result of their actions, the chance of escalation of a conflict will be lower, it will be easier for the participants of some form of cyber exchange to interpret the actions of other side(s) correctly.The law of armed conflict should clearly regulate the use of cyber tools in hostilities, just as it does other tools. The principles of necessity and proportionality limit the use of force in self defense, and should regulate what may be a lawful response under the specific circumstances. There is no legal requirement that the countermeasure to a cyber attack should take the form of a cyber action.It doesn’t appear to be possible to define the proportionality of international countermeasures in cyberspace without taking into account multiple factors including, but not limited to, the specific characteristics of the initial attack that calls for the countermeasures taken (like the source of the attack, its circumstances, timeline, targets), the consequences (potential and actual) for the attacked state, the impact the attack caused (or might cause); and the same should be taken into account for the countermeasures (potential or already taken).Just as cyberspace presents new issues for lawyers, it presents challenging new technical and policy issues. Not all of the issues have clear legal answers derived from existing precedents. Answering these questions within the framework of law, consistent with international values and accounting for the legitimate needs of states’ national security, will require a constant dialogue between lawyers and policymakers.Further research on the topic may include the analysis of case studies in cybersecurity legislation related to countermeasures, laws and rules related to warfare and international relations. Documents and policies of different countries that are related to international strategy in regards to war, defence and offence rules – especially in case they also provide a definition or refer to cyberspace, may reveal different perspectives on what could be appropriate countermeasures in cyberspace and their proportionality. Deep analysis of the already existing laws may help to create a new legal framework that would take into account the nature of cyberspace, and provide new or properly updated definitions with respect of states’ rights. BibliographyDraft articles on Responsibility of States for Internationally Wrongful Acts, with commentaries, 2001 – Copyright © United Nations 2008. Available at: http://legal.un.org/ilc/texts/instruments/english/commentaries/9_6_2001.pdfResponsibility of States for Internationally Wrongful Acts, 2001 – Copyright © United Nations 2005. Available at: http://legal.un.org/ilc/texts/instruments/english/draft_articles/9_6_2001.pdfCharter of the United Nations – UN Charter (full text). Available at: http://www.un.org/en/sections/un-charter/un-charter-full-text/Brian J. Egan, International Law and Stability in Cyberspace, 35 Berkeley J. Int’l Law. 169 (2017). Available at: http://scholarship.law.berkeley.edu/bjil/vol35/iss1/5Katharine C. Hinkle, Countermeasures in the Cyber Context: One More Thing to Worry About, The Yale Journal of International Law Online, Fall 2011, Vol. 37. Available at: https://files.apks.com/countermeasures%20in%20the%20cyber%20context_one%20more%20thing%20to%20worry%20about_yjil_hinkle%20fall%202011.pdfEnzo Cannizzaro, The  Role  of  Proportionality  in the  Law  of  International Countermeasures, EJIL 2001. Available at: http://www.ejil.org/pdfs/12/5/1554.pdfTsagourias, Nicholas, The Law Applicable to Countermeasures Against Low-Intensity Cyber Operations (October 4, 2014). Baltic Yearbook of International Law, Volume 14, Brill, Forthcoming. Available at SSRN: https://ssrn.com/abstract=2533950Michael Schmitt, Tallinn Manual 2.0 on the International Law of Cyber Operations: What It Is and Isn’t – February 9, 2017. Available at: https://www.justsecurity.org/37559/tallinn-manual-2-0-international-law-cyber-operationsColonel Gary Corn, Tallinn Manual 2.0 – Advancing the Conversation – February 15, 2017. Available at: https://www.justsecurity.org/37812/tallinn-manual-2-0-advancing-conversation/Hongju Koh, Harold, “International Law in Cyberspace” (2012). Faculty Scholarship Series. Paper 4854. Available at: http://digitalcommons.law.yale.edu/fss_papers/4854Michael N. Schmitt, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, 2017