Nothing in international politics was ever simple, but sovereignty used to be simpler. The principles of how nations govern themselves within their borders are less clear for how nations should deal with attacks from outside the border that take place inside computers within those borders. International law has adapted somewhat, but we are still in the early days of setting and policing boundaries around cyber war, establishing norms and precedents to shape future action.
All of this makes a speech on cyber and international law, delivered today by the United Kingdom’s Attorney General Jeremy Wright, so compelling. While agreeing with sovereignty as the bedrock principle of international order, it mostly sidesteps the particulars of where and how the bounds of sovereignty fall in cyberspace, to instead focus on actions states can actually take.
From the speech:If a hostile state interferes with the operation of one of our nuclear reactors, resulting in widespread loss of life, the fact that the act is carried out by way of a cyber operation does not prevent it from being viewed as an unlawful use of force or an armed attack against us. If it would be a breach of international law to bomb an air traffic control tower with the effect of downing civilian aircraft, then it will be a breach of international law to use a hostile cyber operation to disable air traffic control systems which results in the same, ultimately lethal, effects.
“Acts like the targeting of essential medical services are no less prohibited interventions, or even armed attacks,” Wright continued, “when they are committed by cyber means.”
Just over a year ago, hospitals in the United Kingdom were hit by Wannacry, malware that used an exploit discovered by the NSA but kept secret until it was publicly released by an outside group in 2017. “Wannacry” hit unpatched Windows XP machines, like many in the hospitals, where it then encrypted the data and threatened to delete that data unless the person paid a ransom in bitcoin to unlock the specific device and its data. Fortunately, the Wannacry virus had a kill switch built in, and a security researcher managed to stop it before the attack turned fatal.
It’d be folly to plan security around being so lucky in the future, and Wright outlines a range of policies and scenarios for when and how the UK might respond to such attacks and intrusions. In the case of Wannacry, this was attribution: together with a handful of affected nations, the UK identified and named North Korea as the attacker. Beyond attribution, there is the matter of retaliation and deterrence.
“In tandem, our National Offensive Cyber Programme is building a dedicated capability allowing the UK to act in cyberspace,” Wright said. “We believe each state has the right to develop a sovereign offensive cyber capability. It does not destabilise nor weaponise cyber space to do so, as there is an obligation on each state to ensure use and development are carried out in accordance with international law. We have therefore been and will continue to be transparent about the existence of this programme.”
Much like the exact nature of sovereignty had to be worked out through years of transgressions and negotiations, setting the rules for cyber weapons will involve the same political two-step. How a state can have an “offensive cyber capability” that does not “weaponise cyber space” remains to be defined.