A Leading, Relevant Authority Shares Some Thoughts on Whether the Sony Hack is an “Act of War”
Newt Gingrich will not be happy with this.
Michael Schmitt is professor of International Law at the U.S. Naval War College and has participated in a number of leading research efforts on the laws of armed conflict. Not the least of these was chairing the study which resulted in the Tallinn Manual on the International Law Applicable to Cyber Warfare, which right now is the closest thing you’ll get to a authoritative restatement on the legal issues of the use of force in cyberspace, anywhere.
Professor Schmitt posted the following at the Just Security blog on 17 December:
Pursuant to Article 51 of the UN Charter and customary international law, if the malicious cyber operation against Sony had constituted a “use of force” rising to the level of an “armed attack,” the United States would have been entitled to respond forcefully, whether by kinetic or cyber means. The IGE unanimously agreed that cyber operations alone may be sufficient to cross the armed attack threshold, particularly when they cause substantial injury or physical damage. Some members of the group went further by focusing not on the nature of the harm caused, but rather its severity. In their view, a sufficiently severe non-injurious or destructive cyber operation, such as that resulting in a State’s economic collapse, can qualify as an armed attack.
The cyber operation against Sony involved the release of sensitive information and the destruction of data. In some cases, the loss of the data prevented the affected computers from rebooting properly. Albeit highly disruptive and costly, such effects are not at the level most experts would consider an armed attack. Additionally, some States and scholars reject the view that the right of self-defense extends to attacks by non-State actors. Even though the attribution of the Sony incident to North Korea has been questioned, this debate is irrelevant because the operation failed to qualify as an armed attack in the first place.
So: it looks like a number of public figures on this matter need to dial down their rhetoric. But it doesn’t mean that the U.S. is not without recourse (so long as the DPRK is indeed responsible):
The substantive criteria for breach of sovereignty by cyber means has been the subject of extensive examination in the Tallinn 2.0 process. In the earlier Tallinn Manual, the IGE agreed that at the very least a cyber operation breached sovereignty whenever physical damage (as distinct from harm to data) occurred. While no further consensus could be achieved on the matter, it would seem reasonable to characterize a cyber operation involving a State’s manipulation of cyber infrastructure in another State’s territory, or the emplacement of malware within systems located there, as a violation of the latter’s sovereignty. This being so, if the cyber operation against Sony is attributable to North Korea, it violated U.S. sovereignty. In the patois of the law of State responsibility, the operation amounted to an “internationally wrongful act”.
The commission of an internationally wrongful act entitles an injured State to engage in “countermeasures” under the law of State responsibility, as captured in Article 22 and 49–54 of the Articles on State Responsibility. Countermeasures are actions by an injured State that breach obligations owed to the “responsible” State (the one initially violating its legal obligations) in order to persuade the latter to return to a state of lawfulness. Thus, if the cyber operation against Sony is attributable to North Korea and breached U.S. sovereignty, the United States could have responded with countermeasures, such as a “hack back” against North Korean cyber assets. Indeed, it may still enjoy the right to conduct countermeasures, either because it is reasonable to conclude that the operation is but the first blow in a campaign consisting of multiple cyber operations or based on certain technical rules relating to reparations. It must be cautioned that the right to take countermeasures is subject to strict limitations dealing with such matters as notice, proportionality, and timing. Moreover, they are only available against States and the prevailing view is that a countermeasure may not rise to the level of a use of force.
Takeaway: So long as we can pierce the veil of DPRK deniability, the US (not Sony on their own) can respond in a proportional manner.
And that seems to be the White House’s position as well.
Originally published at b-copy.com on December 22, 2014.