UK Says it Doesn’t Need to Demonstrate Attribution Before Engaging Cyber Retaliation
The scene was set last week when Air Marshall Phil Collins (Chief of Defence Intelligence, UK Ministry of Defence) spoke at the Royal United Services Institute (RUSI). In his speech Collins talked about the growing use of non-kinetic (primarily cyber) warfare.
“We can see numerous examples of this today,” he said: “unprecedented industrial espionage activity against the UK and Allies; private security contractors being used in high-end expeditionary warfare in Syria; cyber-attacks against national infrastructure and reputation across Europe; information operations that attempt to pervert political process and frustrate the rule of law; and attempted assassinations.”
He warned that the nature of modern warfare is becoming broader, more strategic, and features “continuous full spectrum competition and confrontation.”
The UK’s response, he said, “should be to understand first, to decide first, and then if necessary to act first, across the physical and virtual, to secure decision advantage and then operational advantage, seeking swift yet controlled exploitation of vulnerabilities and the proactive denial of opportunities.”
The implication is that the UK requires the ability (and he makes it clear that he believes the UK has that ability) to both respond to cyber-attacks and if necessary launch preemptive cyber-attacks effectively in self-defense. What he doesn’t discuss is the relationship of such actions to international law. That was left to a separate speech delivered Wednesday by the UK attorney general, Jeremy Wright QC MP, at Chatham House: Cyber and International Law in the 21st Century.
While Wright accepts that international cyber law is a difficult area, “cyberspace is an integral part of the rules based international order. That being so, it is the UK’s view that there are boundaries of acceptable state behavior in cyberspace, just as there are everywhere else.”
What this means, he says, “is that hostile actors cannot take action by cyber means without consequence, both in peacetime and in times of conflict. States that are targeted by hostile cyber operations have the right to respond to those operations in accordance with the options lawfully available to them and that in this as in all things, all states are equal before the law.”
In effect, his speech discusses legal and illegal nation-level cyber activity; and his view of a legal and illegal UK response to that.
Two aspects stand out. First, he defines a cyber-attack against the critical infrastructure that can or does lead to loss of life as an unlawful use of force that can trigger a non-cyber response. “The UK considers it is clear that cyber operations that result in, or present an imminent threat of, death and destruction on an equivalent scale to an armed attack will give rise to an inherent right to take action in self-defense, as recognized in Article 51 of the UN Charter.”
Article 51 states, “Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs…” In short, the UK attorney general is stating that such cyber-attacks can legally result in a kinetic military response.
In reality, there is little new here. Bryson Bort, CEO and founder at Scythe — and a visiting fellow at the National Security Institute, George Mason university — told SecurityWeek, “This ‘position’ tends to be the prevailing opinion, but between what is publicly stated and whatever classified response may have been made in line with this doctrine, we only have confirmation that loss of life equals kinetic response, a.k.a. traditional military reprisal.”
Slavik Markovich, CEO and Co-founder at Demisto, wonders if — under this doctrine — a state can lawfully make a preemptive strike in order to prevent the potential future loss of life. “Take Stuxnet,” he said. “Is it OK for a state to launch a cyber-attack on another states’ weapon systems to preemptively defend against said state that has publicly declared it wants to destroy the cyber offensive state?”
Jeremy Wright never uses the term preemptive — but Air Marshall Collins does with his ‘proactive denial of opportunities’ assertion.
The second stand-out from Wright’s speech suggests that cyber-attacks that do not threaten life cannot lawfully result in a kinetic response. This would include Russian interference in the U.S. 2016 election (note that former director of national intelligence James Clapper told PBS NewsHour Wednesday that he believes that Russian interference didn’t just influence the election, but actually won it for Donald Trump).
Wright says it is clearly an unlawful act, and the victim (in this example, the U.S.) has the right to respond against the aggressor (in this example, Russia) — but the type of response is tempered by the doctrine of countermeasures. “Countermeasures cannot involve the use of force, and they must be both necessary and proportionate to the purpose of inducing the hostile state to comply with its obligations under international law.”
The UK disagrees in one matter with the work of the International Law Commission on countermeasures. It does not believe that a retaliating nation needs to tell the aggressor that it will retaliate — it can simply do so. That retaliation cannot be by force, but does not need to be symmetrical to the underlying unlawful act.
In simple terms, a cyber-attack that leads to loss of life can legally elicit a military response. A cyber-attack that does not lead to loss of life can only legally elicit a greater cyber response. “This statement by the UK Attorney General is the first official statement that reflects the truth on the ground,” comments Bort. It “is a pragmatic recognition of the realities of cyber warfare… It means a lot to be the first to provide this position publicly and the popularity of this position will grow from here.”
But underlying these arguments — and one discussed at some length by Wright — is the problem of attribution. “There are obviously practical difficulties involved in making any attributions of responsibilities when the action concerned is capable of crossing traditional territorial boundaries and sophisticated techniques are used to hide the identity and source of the operation” he says. “Those difficulties are compounded by the ready accessibility of cyber technologies and the resultant blurring of lines between the actions of governments and those of individuals.”
Nathan Wenzler, chief security strategist at AsTech, is particularly worried about attribution and the UK’s attitude towards it. “It’s a troubling problem,” he told SecurityWeek, “and one which no one has solved to such an extent that would allow them to make definitive statements such as Mr. Wright’s, and this leaves open the potential for a wide array of legal, ethical and political issues t
hat may come about from retaliating against an entity that either did not actually commit the initial attack or ultimately had nothing to do with the attack at all. And, while nation-state sponsored cyber-attacks are a well-known issue, it doesn’t mean that it is always the case, and the political ramifications of launching any type of response against another country without definitive proof can lead to far greater disasters.”
Bort is a little less concerned. “Attribution is hard no matter who you are,” he said. “But, nation states with advanced cyber and intelligence capabilities have a long history of solving the attribution problem. There may be a few more question-marks in the cyber domain as to who certain cyber attackers are, but it’s a generally small list of perpetrators to look at. The UK government will likely be absolutely sure when they respond.”
The key phrase from Bort is ‘intelligence capabilities’. Security researchers can only track cyber in cyber — and that is the problem. Nation states — particularly members of the 5 Eyes group — have access to wide-ranging high-grade signals intelligence and on-the-ground agents that may provide irrefutable proof that the intelligence services will never reveal for fear of losing or endangering their sources.
“I fear this may just be a setup for more strained political relationships between adversaries and no real improvement to the overall security of the cyberspace used by their citizens, corporations and other entities,” warns Wenzler. He may well be right; but there is one single sentence in Wright’s speech that takes the issue to a new level.
“There is no legal obligation requiring a state to publicly disclose the underlying information on which its decision to attribute hostile activity is based, or to publicly attribute hostile cyber activity that it has suffered in all circumstances,” he says.
If there is a purely political intent behind this speech, it is to warn foreign aggressor states that the UK (and/or its allies) can lawfully respond to an aggressive cyber-attack either by kinetic or cyber actions; and that it is not duty-bound to provide public proof of its attribution. It can legally strike back without warning.