What Would Happen If States Started Looking at Cyber Operations as a “Threat” to Use Force?

How are threats of force conveyed in cyberspace? When hackers compromised the SolarWinds Orion software in the spring of 2020, they trojanized the so-called Sunburst backdoor, a system designed to communicate with third-party providers. Through that backdoor, the hackers could execute commands, including disabling services and rebooting machines. This operation was effectively a power transfer and a significant one, at once giving those actors an “eye” into all of the victim’s data and a finger on the trigger. Regardless of how one qualifies the operation against SolarWinds, how the features of such operations interact with the rules of international law requires attention. Public reporting about SolarWinds suggests the operation was limited to data exfiltration from a circumscribed group of victims that did not suggest any future use of force. Nonetheless, the case raises a question: If the presence of backdoors in a victim’s network allows for future exploits capable of causing functionality losses generating destruction (or even deaths), could their presence be seen as threatening such results? More broadly, when does a cyber operation that does not itself constitute a use of force threaten force? 

Article 2(4) of the U.N. Charter requires member states to refrain from both the “threat” and the “use” of force. When it comes to cyberspace, the latter prohibition has spawned seemingly endless discussions among states (for recent roundups, see, for example, here and here) and scholars alike (see here, here, here, here, and, of course, here). International legal discourse is entering its third decade of debates on what constitutes a use of force in cyberspace, how to assess scale and effects in this new environment, and whether cyber operations that the international community has already observed, such as Stuxnet or NotPetya, qualify as a use of force or even rise to the level of an armed attack to which states can respond in self-defense. In contrast, the prohibition on the threat to use force has received almost no attention. Considering the recent drastic upsurge in cyber operations, and their diverse means, methods, and effects that individually (or collectively) imply a risk of further operations, there is a need for more dialogue about the obligation to refrain from the threat of force in cyberspace. Here, we hope to launch that conversation, exploring an otherwise underutilized obligation in the international legal arsenal that may yet have an important role to play in regulating state and state-sponsored cyber operations.

The contours of the prohibition on threats to use force are clear in its key respects. First, the state’s threatened action must qualify as a use of force—threats to intervene economically or politically in another state fall outside the prohibition. Second, the threat must be to use force unlawfully. As the International Court of Justice explained in its landmark Nuclear Weapons Advisory Opinion, “The notions of ‘threat’ and ‘use’ of force under Article 2(4) of the Charter stand together in the sense that if the use of force itself in a given case is illegal—for whatever reason—the threat to use such force will likewise be illegal.” Conversely, if a use of force is permissible (for example, as an exercise of self-defense), so too are threats to pursue it. Third, a threat need not be explicit (like an ultimatum)—it can also be conveyed implicitly. As noted in the Commentary to Rule 70 of the Tallinn Manual 2.0, the second edition of the most comprehensive guide on the applicability of existing international law to cyber operations, a threat can be conveyed by any means (for instance, through public pronouncements), and the substance of such threat is “to carry out cyber operations qualifying as a use of force.” Explicit threats are not only the “easy” case but also the rare one. In cyberspace, the prohibition may have much more utility for implicit cyber threats—what the Commentary to Rule 70 describes as “a cyberoperation that is used to communicate a threat to use force.” 

In assessing the existence of an implicit threat of force, context has a major role to play. Not all manifestations of force will qualify as a threat under Article 2(4) of the U.N. Charter. All relevant contextual factors need to be considered, and the mere acquisition of weapons or demonstration of capacity (moving troops or ships) may not themselves be sufficient to constitute threats. As suggested by the Independent International Fact-Finding Mission on the Conflict in Georgia (IIFFMCG), however, if manifestations of force “are non-routine, suspiciously timed, scaled up, intensified, geographically proximate, staged in the exact mode of a potential military clash, and easily attributable to a foreign-policy message, the hostile intent is considered present and the demonstration of force manifest.”

In examining threats of force, international law focuses more on an objective approach. That is, even if the existence of a signaled intention to use force lies at the core of the assessment, that assessment can be conducted by reference to objective manifestations of such intent. Importantly, a crucial element in the examination of a threat of force is its credibility. According to the IIFFMCG, it is enough for the threat to create “a calculated expectation that an unnamed challenge might incur the penalty of military force within a dispute.”

The international legal community thus has a good sense of the relevant legal criteria for threats of force in the kinetic context. In the context of the conflict in Georgia, the IIFFMCG considered a number of Georgian actions, including its launching of air surveillance over the Abkhaz conflict zone in spring 2008, its participation in repeated exchanges of fire in South Ossetia, and its engagement in a comprehensive military buildup with the assistance of third parties, including acquiring modern weaponry. How might such criteria extend to cyberspace? These criteria suggest, first, that the intelligence-gathering aim of a digital operation and the legality of espionage under international law do not preclude treating gathering of information as a factor in assessing the existence of a threat of force. Second, the acquisition of certain cyber capabilities may be relevant to the analysis. Finally, repetition of conduct matters, a point of particular relevance to cyberspace where cybersecurity experts regularly observe patterns and operational signatures.

Become a supporter of IT Security News and help us remove the ads.