Deterring Gray-Zone Cyberwar: A Legal Critique

The advent of the Fourth Industrial Revolution has heralded a new era of strategic competition,where wars are increasingly waged in cyberspace and below the threshold of armed  conflict.1United States law, however, has only slowly adapted, ex post facto, to the onslaught of hybrid and gray-zone cyberattacks, relying instead on conventional cost imposition and a  strategy of “persistent engagement” that cedes initiative to the attacker by emphasizing defense over deterrence.[2] Our faith in existing domestic and international laws to adequately dissuade cybercriminal activity has left stretching loopholes in juridical processes determining the  threshold for retaliation. Consequently, cyberattacks are occurring at an alarming frequency because adversarial states progressively view them as a low-cost option to achieve national  objectives; in the past two years alone, over forty major cyber incidents targeted the United  States, many of which were intended to disrupt the democratic lifeblood of our country: the electoral process. [3]

Gray-zone and hybrid cyberattacks aim to covertly undermine US security, acting under a  banner of plausible deniability to remain in the ambiguous periphery between peace and armed  conflict, thus avoiding substantial reprisal.[4] For instance, the 2020 SolarWinds hack, where  Russia-backed hackers collected information about a slew of US agencies, is the quintessence of  a gray-zone operation, rising above the threshold of standalone cyber espionage but incurring no  casualties. The US response, however, merely consisted of sanctions and expelling ten Russian  diplomats—a disproportionally mild penalty vis-à-vis the magnitude of the hack. [5]

Relying on an inappropriate extension of conventional warfare’s legal procedures into  cyberspace, US law does not provide policymakers with sufficient basis for credible retaliatory  action against gray-zone and hybrid cyberattacks because it relies on a traditionalist war-peace  dichotomy; this artificial delineation renders invisible the coercive effects of mid-spectrum cyber  rivalry endemic to modern competition that often outweigh the cumulative politico-economic consequences of traditional warfare.[6] Geopolitical strategic competition is no longer an easily  groupable binary between war and peace, but rather an increasingly decentralized, politicized,  and widespread stalemate in cyberspace, with each side persistently competing for advantage. Against this backdrop, despite US rhetoric reflecting awareness of gray-zone conflict, continuing  to operate within the flawed confines of twentieth-century warfighting will inevitably impact every aspect of American livelihood, irrevocably corroding the rules-based international order  and surrendering cyberspace to near-peer competitors like Russia and China.[7]

Resolving the retaliation dilemma first requires a solution to the non-justiciability of  many gray-zone cybercrime cases. Because court rulings hold more weight internationally than  unilateral declarations of retribution, as status quo US cybercrime retaliation has done, they are  the optimal option for legitimating proposed US counteraction; in fact, many international organizations depend on domestic courts in a hierarchical relationship for enforcing international  law.[8] Since the primary intent of cyberattacks is information gathering, however, current US  courts would likely dismiss cyber espionage-related cases on a lack of Article III standing because a data breach in the abstract does not constitute “‘any misuse . . . causing any of the  customers any actual injury.’”[9] In addition, the Second Circuit Court of Appeals has ruled that courts must establish the hackers’ intent to obtain data, misuse of stolen data, and the type of  data lost to determine Article III standing for a data breach.]10] Gray-zone cyberattacks complicate  these standards through plausible deniability; information typically targeted by state-sponsored  hackers is not categorized as “sensitive information” according to McMorris v. Carlos Lopez and  can be stored for future use against the United States. This unjusticiability constrains the  legalistic paradigm of international law and has caused the rapid proliferation of devastating cyberattacks in recent years.[11] Halting this intensifying spiral of cyber-espionage, however,  cannot wait for lex ferenda to coalesce slowly. Short-term, doctrinal changes must occur in the  interim.

US response to a cyberattack generally involves three components: public denouncement  of the attacking state, citing international law violations; publicized diplomatic negotiation; and moderate sanctions.[12] As evinced by the bombardment of cyberattacks every year, however, this  policy of self-restraint does little to deter malicious cyber activity effectively.[13] US policy currently operates in an echo chamber of international law, lacking a credible accountability  mechanism whereby transgressions of domestic and international law can be policed, but still believing our adversaries would eventually come to respect the international order whose  principal function is to suppress their influence. In addition, separate Title 10 and Title 50 authorities, both for cyber activities but implemented under the United States Cyber Command  and National Security Agency respectively, hinder authorization for split-second decisions;  operating in cyberspace, openings may appear and disappear within minutes, far quicker than  legal authorization can arrive.[14] Although the Department of Defense’s highly centralized  command and control framework was ideal for slower-paced traditional environments, great power cyber strategic competition demands a more flexible approach based on credible  deterrence rather than public shaming. For instance, after Russia’s interference in the 2016  presidential election, former President Barack Obama issued grave warnings to Russia, citing international law and alluding to US retaliation.[15] After no substantial countermeasures  materialized except sanctions, however, Russian hacking began an upswing that persists to this  day, manifesting itself in further election interference and critical infrastructure disruption.

Although a perfect solution has eluded governments around the world, sustaining  advantage in great-power cyber competition with adversaries like Russia and China is a  prerequisite for national survival in the Information Age. Competing effectively requires a  flexible cyber deterrent whose legitimacy can stem from either the judiciary, a strengthened web  of international law, cyber retaliation, or a holistic combination of multiple strategies.16 In fact, patching domestic US legal loopholes spills into regional security organizations, such as the  North Atlantic Treaty Organization, globally repelling the authoritarian cyber-warfare that attempts to undermine international stability.[17] Maintaining the ad hoc application of  conventional warfighting theory into cyberspace, however, will ensure the United States and its  allies are caught unprepared amid cyberwar, nevermore tasting global hegemony.

References

1 Marc Polymeropoulos and Arun Iyer, “US adversaries have been mastering hybrid warfare. It’s time to  catch up,” Atlantic Council, February 8, 2022, https://www.atlanticcouncil.org/blogs/new-atlanticist/us-adversaries have-been-mastering-hybrid-warfare-its-time-to-catch-up.

2 Michael P. Fischerkeller and Richard J. Harknett, “Persistent Engagement and Cost Imposition:  Distinguishing Between Cause and Effect,” Lawfare, February 6, 2020, https://www.lawfareblog.com/persistent engagement-and-cost-imposition-distinguishing-between-cause-and-effect.

3 “Significant Cyber Incidents Since 2006,” Center for Strategic & International Studies, November 9,  2022, https://csis-website-prod.s3.amazonaws.com/s3fspublic/221109_Significant_Cyber_Incidents.pdf?rtBeiaU5udNFja3s9JD_Aemk9LLWDhX.

4 Polymeropoulos and Iyer, “US adversaries have been mastering hybrid warfare.”

5 Akshita Jain and Gino Spocchia, “Biden expels Russian diplomats and announces new sanctions in  retaliation for hacking,” The Independent, April 16, 2021, https://www.independent.co.uk/news/world/americas/us politics/biden-russia-sanctions-putin-hacking-b1831934.html; Lucas Kello, “Cyber legalism: why it fails and what  to do about it,” Journal of Cybersecurity 7, no. 1 (2021): 2, doi: https://doi.org/10.1093/cybsec/tyab014.

6 Kello, “Cyber legalism,” 3-5.

7 Clementine G. Sterling and Julia Siegel, “The future of US security depends on owning the ‘gray zone.’  Biden must get it right,” Atlantic Council, June 10, 2022, https://www.atlanticcouncil.org/content-series/hybrid warfare-project/the-future-of-us-security-depends-on-owning-the-gray-zone-biden-must-get-it-right.

8 Rafaella Kunz, “Judging International Judgments Anew? The Human Rights Courts before Domestic  Courts,” European Journal of International Law 30, no. 4 (2019): 1135, doi: https://doi.org/10.1093/ejil/chz063.

9 Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d at 1336, 2021 U.S. App. LEXIS 3055, 28 Fla. L.  Weekly Fed. C 2434, 2021 WL 381948 (United States Court of Appeals for the Eleventh Circuit February 4, 2021,  Filed).

10 McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d at 301-303, 2021 U.S. App. LEXIS 12328 (United  States Court of Appeals for the Second Circuit April 26, 2021, Decided).

11 Kello, “Cyber legalism,” 10.

12 Dustin Carmack, “U.S. Response to Cyberattacks? It Must Be More Than Just Biden’s “Off Limits”  List,” The Heritage Foundation, July 9, 2021, https://www.heritage.org/cybersecurity/commentary/us-response cyberattacks-it-must-be-more-just-bidens-limits-list.

13 Gary Corn and Eric Jensen, “The use of force and cyber countermeasures,” Temple International &  Comparative Law Journal 32 (2018): 132-133.

14 Michelle Albert, Tom Barth, and George Thompson, “Military Authorizations in a Connected World:  DoD’s Role in Cyber Influence Operations,” Cyber Defense Review 6, no. 4 (2021): 86-87. 

15 Alexander Zemlianichenko, “What Obama Said to Putin on the Red Phone About the Election Hack,”  NBC News, December 19, 2016, https://www.nbcnews.com/news/us-news/what-obama-said-putin-red-phone-about election-hack-n697116.

16 Kello, “Cyber legalism,” 10-13.

17 James A. Lewis, “The Role of Offensive Cyber Operations in NATO’s Collective Defense,” The Tallinn  Papers 8 (2015): 1-12; Sophie Arts, “Offense as the New Defense: New Life for NATO’s Cyber Policy,” German  Marshall Fund, December 13, 2018, https://www.gmfus.org/news/offense-new-defense-new-life-natos-cyber policy.