Cyber operations are an increasingly ubiquitous mechanism for the conduct of statecraft, espionage, and warfare. Russian interference in American elections is one recent and prominent example of cyber interference. The John McCain National Defense Authorization Act (NDAA) for fiscal year 2019 includes several provisions on cyber operations, specifically addressing threats such as interference with elections. Section 1642 of the NDAA pre-authorizes the National Command Authority (the President and Secretary of Defense) to direct the U.S. Cyber Command “to take appropriate and proportional action in foreign cyberspace to disrupt, defeat, and deter such attacks” (emphasis added) in response to “an active, systematic, and ongoing campaign of attacks against the Government or people of the United States in cyberspace, including attempting to influence American elections and democratic political processes” conducted by Russia, China, Iran, or North Korea.
However, proportionality in response to attempts to “influence American elections and democratic political processes” is unclear at this stage. In the context of cyber operations not crossing the armed attack threshold, proportionality is especially amorphous. For example, Russian election interference falls short of the armed attack threshold permitting the use of force in self-defense; however, election interference likely constitutes an “internationally wrongful act”—legally permitting U.S. countermeasures against Russia. The following explores the viability of countermeasures as a rubric for responses to cyber operations below the use of force threshold.
Countermeasures are measures taken in response to an instigating state’s internationally illegal act, wherein the injured state takes an action that would otherwise violate an international legal obligation, the aim of which is to compel or convince the instigating state to stop its illegal behavior. The matter of whether it is unlawful for a state to cyber meddle in another state’s elections is unsettled, though the three most common theoretical bases of violation are: (1) violation of the target state’s sovereignty; (2) intervention into the internal affairs of the state holding the elections; and (3) breach of the obligation to exercise due diligence that the state’s territory is not used as the location from which others conduct the cyber meddling operations. The fact that the NDAA specifically pre-authorizes cyber operations in response to cyber meddling suggests that the U.S. has taken the position that such activity indeed constitutes an internationally wrongful act, though the extent to which the international community will espouse this perspective remains to be seen.
Countermeasures, in addition to being necessarily reactive to an internationally illegal act, also require that the act successfully be attributed to the state in question. Attribution is recognized as an arduous challenge in cyberspace, but is becoming increasingly surmountable, especially for sophisticated governments. To that point, the U.S. not only identified Russian hackers participating in election interference for the 2018 midterm elections, but also notified the hackers that they were being monitored to dissuade them from engaging in further operations. Given that the U.S. seems to recognize cyber meddling in elections as a violation of sovereignty, countermeasures appear to be a legally appropriate mechanism for implementing the NDAA’s authorization for “appropriate and proportional action in foreign cyberspace to disrupt … attempt[s] to influence American elections.” But, from a policy perspective, are they the optimal course of action?
The principle of countermeasures provide a framework for ensuring that retaliatory cyber operations are proportional, though it differs from the more familiar international humanitarian law principle of proportionality for armed conflict. Proportionality in the context of countermeasures focuses on the extent of the injury suffered by the victim state, as opposed to the benefit gained by the countermeasure. A countermeasure may exceed the minimum intensity and scope necessary to force the responsible state into compliance with its legal obligation to the injured state, so long as it remains proportionate; however, if only a disproportionate action would compel the responsible state to comply with its legal obligations, then the victim state is precluded from engaging in a countermeasure of that severity.
Michael N. Schmitt, the expert who directed the creation of the Tallinn Manual(s) on cyber operations, is sanguine about the prospect of cyber countermeasures. He concludes that “[c]ountermeasures offer [s]tates a viable, and lawful, means of responding to harmful cyber actions in a manner more robust than retorsion, [a retaliatory action that is lawful but detrimental to another state’s interests,] but less provocative than a use of force. With countermeasures, [s]tates will seldom be left with a choice between ineffective response and overreaction.” Even so, Schmitt concedes that judging the proportionality of countermeasures is a difficult and approximative task. However, proportionality analysis is generally an imprecise exercise.
Others criticize the extrapolation of countermeasures to cyberspace on a normative basis, claiming that it would constitute a dangerous precedent. One scholar contends that for “states to embrace countermeasures doctrine as a means of addressing cyber interference in elections would be myopic” because it would expand the lawful use of violence in the international system. Others castigate reciprocal countermeasures as “deeply problematic for an international legal regime that seeks to appropriately constrain state responses to cyber-conflict.” Cited concerns include the risk of unanticipated and wide-ranging harms because of the interconnected and interdependent nature of digital infrastructure. The potential for additional, unexpected harms—potentially making the countermeasure disproportionate—may generate further escalatory pressures.
Notwithstanding the imperfections of countermeasures, their extrapolation to the cyber domain would clarify the scope of activity that the U.S. will likely undertake now that it is authorized to proportionately respond to cyber meddling in elections. Furthermore, a cyber countermeasures regime would comport with U.S. government doctrinal publications, such as this year’s Command Vision, released by U.S. Cyber Command, which envision cyberspace as a more actively contested domain. In light of Section 1642, the U.S. government should further articulate its understanding of proportionality in the cyber domain, particularly with respect to actions taken in response to foreign cyber meddling in elections. Clearly espousing the countermeasures framework would be one way of reducing uncertainty regarding its intent.