State-sponsored cyberattacks against just one victim nation at a time could soon provoke a global response, if a growing number of officials around the world have their way.
As the Pentagon has experimented with new authorities allowing U.S. Cyber Command to be more offensive in cyberspace, key officials have suggested there is a groundswell of support for multi-nation countermeasures in the digital age. Thomas Wingfield, the incoming deputy assistant secretary of Defense for cyber policy, told CyberScoop that alliances could be a more successful way to deter hackers and strike back when they infiltrate sensitive networks.
“I think that’s a more effective way to solve the problem, and I think that is the general [direction] of international law,” said Wingfield, who is still employed at National Defense University. “But I would also say we’re not there yet and states are in the process of moving international law in that direction.”
For months now, the U.S. State Department has been working to transform the way nation-states think about responding to cyberattacks.
In September, 27 countries — including the U.S., U.K., Estonia, Belgium and Denmark — agreed they are, in theory, willing to impose joint costs on hostile actors in cyberspace after months of lobbying from the U.S. State Department. The announcement had caveats that actions would be “voluntary” and “when necessary,” and it did not outline what circumstances or possible costs could apply.
While it remains unclear exactly how a collective response would work in practice, the concept is reminiscent of traditional military alliances, like the North Atlantic Treaty Organization. Article V of the NATO treaty famously states that an attack on one member could be interpreted as an attack on all. That provision only has been invoked once, by the U.S. following the Sept. 11, 2001, terrorist attacks. But it’s a notion that has, since 2016, expanded to include cyberattacks.
In June, Estonian President Kersti Kaljulaid told a NATO cybersecurity conference her country would support a joint response to hostile cyber-operations.
“Estonia is furthering the position that states which are not directly injured may apply countermeasures to support the state directly affected by the malicious cyber-operation,” she said.
And while the U.S. has not definitively weighed in on this strategy, Wingfield, whose first day at the Pentagon is Nov. 25, said he thinks Estonia’s stance is on its way to becoming the standard.
“Like many of its allies the U.S. may be moving in the direction of … collective countermeasures,” Wingfield told CyberScoop. “It looks like the … desired law is going to be the … real law before too long.”
Legalese could deter potential allies
“A collective response to a breach of international law is preserved by the U.N. Charter … only by the most severe breaches of international law,” said Lieutenant Colonol Massimiliano Signoretti, who works at NATO’s Cooperative Cyber Defence Centre of Excellence, Wednesday at the CyCon Conference in Arlington, Virginia.
Signoretti went on to explain that, in many cases under the law, only a victim may be authorized to respond to a “breach of an international legal obligation,” such as an attack. Even that interpretation, though, is up for debate.
Existing U.N. law never explicitly states that “only” victims will be allowed to respond to foreign assaults, particularly on technological infrastructure, according to Catherine Lotrionte, a former assistant general counsel at the CIA and Department of Justice.
NATO members, meanwhile, are working on pooling capabilities to respond to cyberthreats, particularly from Russia. The alliance is scheduled to open its Cyber Operations Centre in Mons, Belgium in the coming years as part of an effort to pool cyber capabilities among NATO member countries to respond to cyber threats and provide military commanders with situational awareness and defenses.