26 December 2020

Top Expert Backgrounder: Russia’s SolarWinds Operation and International Law

by Michael Schmitt

I. The Facts: What We Know So Far

On December 7th the National Security Agency issued a warning that “Russian State-sponsored actors” were exploiting a vulnerability in digital workspace software using compromised credentials.

The next day, cyber security firm FireEye announced the theft of “Red Team” tools that it uses to identify vulnerabilities in customer systems. Reports of an ongoing software supply-chain attack against SolarWinds, a company whose products are used by over 300,000 corporate and government customersincluding most Fortune 500 companies, Los Alamos National Laboratory (which has nuclear weapons responsibilities), and Boeing – quickly followed. As a supply-chain attack, the SUNBURST malware infected SolarWind’s customers’ systems when they updated the company’s Orion software.

Agencies throughout the government were affected, including the Treasury, Commerce, Homeland Security, and Defense Departments. In response, the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01, “Mitigate SolarWinds Orion Code Compromise,” on December 13. Three days later, (CISA), together with the FBI and Office of the Director of National Intelligence announced the formation of a Cyber Unified Coordination Group to coordinate a whole-of-government response.

The scope of the operation is daunting. According to Microsoft, the update was likely installed by over 17,000 customers, 80% of whom are located in the United States. The affected systems were diverse: 44% in the information technology sector; 18% belonged to thinktanks and non-governmental organizations; 18% were government systems; and 9% were those of government contractors, most of whom support defense and national security organizations. This access allowed the attackers to plant “‘back doors’ into the networks of some 40 companies, government agencies and think tanks…that allowed them to come and go, steal data and — though it apparently has not happened yet — alter data or conduct destructive attacks.”

II. Attribution and U.S. Public Reactions to the Operation

Suspicion rapidly zeroed in on Cozy Bear (APT 29), a hacking group closely associated with Russia’s Foreign Intelligence Service, the SVR. The Russian Embassy promptly denied that Russia conducts “offensive operations in the cyber domain,” but on Friday, Secretary of State Mike Pompeo noted, “we can say pretty clearly that it was the Russians that engaged in this activity.” Bewilderingly, President took to Twitter the next morning to claim, “The Cyber Hack is far greater in the Fake News Media than in actuality” and that China might be responsible.

Although the Russian ongoing operation appears to be for the purpose of intelligence gathering, and no damage has resulted, Microsoft President Brad Smith has asserted,

This is not “espionage as usual,” even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world. In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.”

Even more forcefully, Senator Dick Durbin charged, “This is virtually a declaration of war by Russia on the United States and we should take that seriously, while Senator Chris Coons added, “”It’s pretty hard to distinguish this from an act of aggression that rises to the level of an attack that qualifies as war.” From the other side of the aisle, Senator Marco Rubio urged, “America must retaliate, and not just with sanctions.”

Also sounding the alarm was Thomas Bossert, Trump’s former homeland security adviser. He warned, the “magnitude of this ongoing attack is hard to overstate.”

The Russians have had access to a considerable number of important and sensitive networks for six to nine months. The Russian S.V.R. will surely have used its access to further exploit and gain administrative control over the networks it considered priority targets. For those targets, the hackers will have long ago moved past their entry point, covered their tracks and gained what experts call “persistent access,” meaning the ability to infiltrate and control networks in a way that is hard to detect or remove.
In the networks that the Russians control, they have the power to destroy or alter data, and impersonate legitimate people. Domestic and geopolitical tensions could escalate quite easily if they use their access for malign influence and misinformation — both hallmarks of Russian behavior.
The remediation effort alone will be staggering. It will require the segregated replacement of entire enclaves of computers, network hardware and servers across vast federal and corporate networks.
While we must reserve our right to unilateral self-defense, allies must be rallied to the cause. The importance of coalitions will be especially important to punishing Russia and navigating this crisis without uncontrolled escalation (emphasis added).

Most importantly, President-elect Biden has vowed to respond:

“A good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place. We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks … I will not stand idly by in the face of cyber assaults on our nation.”

III. The Current International Law Landscape

Was the operation an “act of war” as Senators Durbin and Coons suggest? And what of response options? Does the United States have a right to “unilateral self-defense,” as Mr. Bossert urges? Is President-elect Biden on firm ground in promising a response to such cyber operations?

And in the face of this saber-rattling, Professor Jack Goldsmith of Harvard Law has cautioned in this regard that “the U.S. government has no principled basis to complain about the Russia hack, much less retaliate for it with military means, since the U.S. government hacks foreign government networks on a huge scale every day… a military response to the Russian hack would violate international law.” For him, “The United States does have options, but none are terribly attractive.”

These and similar statements beg two questions – did the SolarWinds operation violate international law and what response options does that body of law allow in this case?

A. Internationally wrongful acts

To constitute an “internationally wrongful act,” a cyber operation generally must be 1) attributable to a state and 2) breach an obligation owed another state (art. 2, Articles on State Responsibility). For the purpose of analysis, let us assume that either SVR personnel or Cozy Bear hackers operating pursuant to the “instructions or direction or control” of a Russian intelligence agency conducted the operation. In either case, the operation would be attributable to Russia (see arts. 4 and 8 respectively, ASR), thereby satisfying the first element of an unlawful act.

Prohibition on use of force?

As to the second, breach, it is first necessary to deal with assertions that the Russian operation amounted to an “act of war.” In fact, the notion of “act of war” no longer exists as a term of art in international law. Instead, when the term is used, it is usually meant to refer to situations in one of two distinct bodies of international law.

The first is the legal regime governing the resort to force, the so-called jus ad bellum. In that body of law, the term refers to breach of the prohibition on the “use of force” resident in Article 2 (4) of the UN Charter and customary international law. Unfortunately, the threshold at which a cyber operation amounts to a use of force remains unsettled.

There is widespread agreement that one resulting in significant physical damage or injury qualifies (see, e.g., 2015 UN GGE Report endorsed by the General Assembly). It is reasonable to extend the notion to a relatively permanent loss of functionality of cyber infrastructure. Yet, whether cyber operations that are neither destructive nor injurious can constitute a use of force remains an open question, the answer to which involves many factors (Tallinn Manual 2.0, rule 69).

A trend seems to be emerging that implicitly acknowledges the possibility by looking to the “scale and effects” of the cyber operation in question to assess the matter (see, e.g., Australia, Finland, Netherlands, and New Zealand). France has gone furthest by explicitly noting that in its view a cyber operation need be neither destructive nor injurious to violate the prohibition. France would, for instance, consider certain severe cyber operations targeting its economy as a use of force, and even an “armed attack” giving it the right of self-defense (see discussion below).

Whatever view one takes on the appropriate standard for qualification of cyber operations as a use of force, the SolarWinds operation generated no effects that would cross any conceivable use of force threshold. No physical damage, injury or permanent loss of functionality occurred, and although there will be significant economic costs, they are not at the level that any state has even hinted might justify characterization as a use of force. Only if Russia later operationalizes its access to the US systems by causing damage, as Mr. Bossert has suggested is possible, could the resulting damage possibly amount to a use of force.

Law of armed conflict?

The second legal concept to which “act of war” is sometimes meant to refer is “armed conflict.” Armed conflict, a term that is the contemporary legal counterpart to the lay term “war,” denotes a situation in which there are “hostilities” between states (international armed conflict), between a state and non-state actor in certain circumstances, or between non-state actors (non-international armed conflict) (Tallinn Manual 2.0, rules 82 and 83). It must be emphasized that the sole purpose of ascertaining whether an armed conflict exists is to determine whether international humanitarian law (IHL) applies. The wrongfulness of a cyber operation is determined independently by such rules as the prohibition on the use of force (if the operation involves a use of force) or IHL itself (if the operation occurs in the context of an armed conflict).

As this is an action by one state against another, the question is whether an international armed conflict exists by virtue of the SolarWinds operation. Although the precise threshold of harm that qualifies as hostilities in the cyber context remains unsettled, the notion is generally conceived in terms of an exchange between the armed forces that results in some degree of physical damage or injury. Here, the fact that an intelligence agency is behind the SolarWinds operation augurs against classification as an armed conflict. So too does the fact that no damage has been caused yet. And no state or IHL expert has ever contended that mere intelligence gathering, no matter how severe the consequences thereof for the state concerned, can trigger an armed conflict as a matter of law.

Prohibition on intervention?

Nor does the SolarWinds operation appear to have violated the prohibition of intervention into the internal affairs of the United States (Tallinn Manual 2.0, rule 66). As noted by the International Court of Justice in its Paramilitary Activities judgment (para. 205), intervention has two elements – coercion and domaine réservé. To be coercive, a cyber operation must in some way deprive the target state of choice, either by causing it to do things or make decisions it would otherwise not do or decide, or vice versa. Second, the coercive effect must bear on the state’s domaine reserve, a term that refers to internal or external affairs that international law leaves to states to handle. The paradigmatic example of intervention in the cyber context is manipulating election returns or interfering with the operation of election machinery, thereby coercing the choice of political system.

The SolarWinds operation does not qualify as intervention for several reasons. First, the operation is not coercive; it is not intended to compel any specific choice by the United States. The intelligence gathered may be employed to support coercive operations in the future, but its mere collection is not coercive.

Second, there is no indication that the operations were meant to coerce with respect to any particular aspect of the domaine réservé. This element is often misapplied when assessing whether a cyber operation qualifies as intervention. It is not the target of the cyber operation that must fall within the domaine réservé, but instead the policy choice (or execution of a policy) that has do so. For instance, it is possible to target private cyberinfrastructure in order to compel a change in a policy of the target state that falls within the domaine réservé, but the mere fact that government cyberinfrastructure is targeted does not alone suffice to satisfy the element. Accordingly, that national security infrastructure was in part the object of the SolarWinds operation does not meet the requirement for coercion vis-à-vis a domaine reserve.

Sovereignty?

The key question with regard to the SolarWinds operation is whether it violated the sovereignty of the United States. To begin with, there is an ongoing debate over whether there is even a rule of sovereignty applicable to cyber operations. The United Kingdom is of the view that no such rule applies, although all other states that have expressed themselves on the matter take the opposite position (e.g., Bolivia, China, Czech Republic, Finland, France, Germany, Guatemala, Guyana, Iran, Netherlands, New Zealand, Republic of Korea, and Switzerland, as well as NATO except for the UK — see here, here, and here). The United States has taken no position on this issue to date.

Assuming the existence of a rule of sovereignty, which is the better position as a matter of law, sovereignty may be violated in two ways (Tallinn Manual 2.0, rule 4). First a violation may occur on the basis of territorial inviolability. Those who support a rule of sovereignty agree that remotely causing damage or injury on the target state’s territory by cyber means suffices. There is growing consensus that causing a relatively permanent loss of functionality is understood to constitute damage. No such consequences appear to have been caused by the SolarWinds operation.

Whether other consequences may amount to a sovereignty violation has yet to be resolved, in part because the unfortunate debate over the existence of a rule has distracted the international community from addressing this critical issue. Be that as it may, it is unsettled, for example, as to whether a cyber operation that causes a loss of functionality necessitating reload of the operating or other essential data, or that causes the targeted infrastructure to operate improperly, is a sovereignty violation. Again, that does not appear to be the case here.

The best argument for a sovereignty violation on the basis of territoriality is that in order to operate the affected cyberinfrastructure with confidence, replacement of infrastructure affected by the SolarWinds operation is necessary, and it is that need that qualifies as the requisite damage. Afterall, to the extent indirect harm is the likely result of a cyber operation, it is arguably reasonable to consider it when making a sovereignty breach determination. Of course, the more attenuated the chain of causation, the less reasonable it would be to do so. Finding a sovereignty breach on the basis that if the espionage is discovered, the victim state would decide to replace the affected infrastructure would be quite a stretch even for those who support sovereignty as a rule.

The second basis for finding a violation of sovereignty is interference with, or usurpation of, an inherently governmental function. In this case, there are numerous inherently governmental functions (functions in which states alone have the authority to engage) that are implicated, such as national defense and diplomacy. However, while some of the targets were inherently governmental in character, the mere fact of espionage has never been characterized as interference, at least not as that concept is understood with respect to sovereignty violation. Rather, interference typically signifies making performance of the function in question more difficult.

Based on the facts made public thus far, it does not appear the SolarWinds operation violated international law. This conclusion bears on the availability of responses.

B. Response options

Although many options exist for responding to hostile cyber operations (e.g., domestic law enforcement), the most relevant international law options in the cyber context are self-defense, the plea of necessity, countermeasures, and retorsion.

Pursuant to Article 51 of the UN Charter and customary law, self-defense, whether unilateral or collective, is permissible in the face of a use of force, whether cyber or not, that qualifies as an “armed attack” (art. 21, ASR; Tallinn Manual 2.0, rule 71). There is some disagreement over the threshold for an armed attack, with the International Court of Justice setting forth the prevailing view that an armed attack is the “most grave” form of the use of force (Paramilitary Activities judgment). The United States, by contrast, has long been of the view that the use of force and armed attack thresholds are identical, such that every use of force is an armed attack. By either position, self-defense is unavailable in this situation because the SolarWinds operation does not, as explained, qualify as a use of force.

The plea of necessity is available to justify a response when states need to respond to a “grave and imminent peril” to an “essential interest” and the only means of putting an end to the peril is to take action that would otherwise violate international law (arts. 25, ASR; Tallinn Manual 2.0, rule 26). Although the U.S. Cybersecurity and Infrastructure Security Agency has characterized the risk posed by the SolarWinds operation as “grave,” it must be cautioned that gravity is an objective standard, one denoting a particularly severe situation.

If the operation is a grave peril as a matter of law, certain of the affected interests, especially national security, clearly qualify as essential. However, conducting cyber or other operations against Russia in response to the SolarWinds operation is unlikely to be effective in terminating it. In any event, other operations, such as Microsoft’ssinkholing” of a domain that the malware uses for command and control, are addressing the threat. Therefore, the plea of necessity is not on the table as a response option because a response directed at Russia is not the sole means of dealing with the incident.

The third possibility is to conduct a countermeasure(s) (arts, 22, 49-53, ASR; Tallinn Manual, rules 20-125). “Countermeasure” is a legal term of art that refers to an action by a state that would violate international law but for the fact that it is designed to put an end to unlawful action being directed against it by another state. In the cyber context, the stock example is a hack back by the victim state that would otherwise violate the sovereignty of the state that has launched the original unlawful cyber operation. One must be cautious not to confuse the legal notion of countermeasures in the law of state responsibility with the operational concept of countermeasures, which denotes the “employment of devices and/or techniques” to impair “the operational effectiveness” of an opponent’s operations.

There are two reasons that the SolarWinds operation does not open the door to countermeasures. First, remediation efforts are already underway, and it is unclear how an operation directed at Russia would improve this situation. Although it will be a while before U.S. efforts to secure the affected systems are complete, it is questionable that any proportionate U.S. countermeasures could successfully pressure Russia to discontinue its operation and neutralize their presence in key affected systems, such as those of the National Nuclear Security Administration.

Yet, countermeasures are not permissible unless they are likely to prove successful. This is because their purpose is to restore the situation to one of lawfulness (or seek reparations) (art. 49(1), ASR). Absent a likelihood of success, a countermeasure is effectively an act of retaliation. Except for acts of retorsion, retaliation is never lawful in international law.

Second, the activity to which a countermeasure responds must amount to an internationally wrongful act (art. 49(1), ASR). As discussed above, it is difficult to see how the SolarWinds operation qualifies as such. If a response cannot qualify as a countermeasure against an internationally wrongful act, there is no basis for the preclusion of the former’s wrongfulness and the response is itself an internationally wrongful act.

Finally, the United States would be within its rights to engage in acts of retorsion. The term retorsion refers to an act (which may be an act or omission) that, albeit unfriendly, violates no rule of international law. Classic examples include those engaged in by the Obama administration in response to Russia’s 2016 election meddling – sanctions, expulsion of diplomats and closure of diplomatic facilities. Since they are by definition lawful, acts of retorsion are available as the only legally acceptable form of retaliation or punishment, and even then the acts are subject to the rules regarding the peaceful settlement of disputes (Tallinn Manual 2.0. rule 65).

IV. Reflections on the SolarWinds Operation

Cyber espionage per se is not a violation of international law (Tallinn Manual 2.0, rule 32). Rather, it violates international law only when the method by which it is conducted separately qualifies as an internationally wrongful act (as with collecting intelligence against a coastal nation while in innocent passage through its territorial sea) or the consequences render the operation as wrongful (for instance, by causing physical damage in order to hide the fact that the targeted infrastructure has been compromised). And, by the principle of sovereign equality (Tallinn Manual 2.0, rule 1), this is so whether the state concerned is the one engaging in the espionage or the victim thereof. States cannot have it both ways.

What the SolarWinds operation does highlight is, as discussed before, the skill of Russia in conducting its operations in the “grey zone of international law,” where it can maximize the effect on the adversary and minimize the risk of either condemnation for acting unlawfully or responses that require an internationally wrongful act as a condition precedent. This begs the question of how to counter a strategy that leverages normative ambiguity.

From a perspective that views international law as an imperfect, but useful, tool in fostering security and stability in cyberspace, the best approach is to individually, and in concert with like-minded states, set forth one’s interpretive positions with respect to such grey areas. States are increasingly adopting this approach and thereby hindering the effort of adversaries who seek to exploit uncertainty. Of course, it is essential that when doing so, states remain sensitive to their own interests in retaining normative room to respond to hostile cyber operations. They must strike a balance between the building of normative firewalls and employing cyber capabilities as a tool in ensuring legitimate national interests.

No comments: