Russell Buchan, Joe Devanny
“I won’t go into detail about [U.K. offensive cyber] activities—stealth and ambiguity are key attributes of cyber operations.” So said Sir Jeremy Fleming, the head of the U.K. intelligence, cyber, and security agency GCHQ (Government Communications Headquarters), in a recent commentary. The intelligence official argues for discretion regarding public comment about sensitive operational equities—no one’s idea of a snappy, newsworthy headline. But placed in its proper context, Fleming’s public intervention tells us something interesting about the U.K. government’s evolving views about cyber strategy.
For more than a decade, the U.K. government has been developing a public narrative about its cyber strategy. This effort spans the governments of four (and now, with the recent appointment of Liz Truss, five) prime ministers, including four sequential iterations of a published National Cyber Strategy (2009, 2011, 2016, and 2022). Much of this effort rightly has focused on improving domestic cybersecurity and resilience, as well as maximizing the contribution of digital technologies to national prosperity. But, given that the lines between the domestic and the international are blurred in cyberspace, from its inception U.K. strategy also has addressed the issues of state behavior in cyberspace, the risks posed by non-state actors, and the role of laws and norms in contributing to strategic stability.
In addition to published strategies, the U.K. government’s strategic communication about cyber has included prominent speeches by successive foreign secretaries and attorneys general, as well as by senior securocrats such as the GCHQ director. This division of effort in the public communication about U.K. strategy makes sense, incorporating senior political leaders with responsibility for foreign policy and the law as well as leading securocrats who, as career officials rather than politicians, speak with a different kind of authority and independence from partisan politics. Cumulatively, this helps to advance the U.K.’s emerging narrative about the responsible, democratic use of cyber power by nation-states. Fleming’s remarks also emphasized that the U.K.’s cyber operations were “ethical, proportionate and legal.” As a proponent of responsible state behavior in cyberspace, it is not surprising that the U.K. twice (in 2018 and 2022) has used a major speech by its attorney general to develop the legal aspects of the case for responsible cyber power.
In a recent Lawfare article, Andrew Dwyer and Ciaran Martin argued that a speech by then-U.K. Attorney General Suella Braverman (now the home secretary in Liz Truss’s cabinet) missed the opportunity to clarify the U.K.’s views about the applicability of non-intervention in international law regarding peacetime cyber operations and, more generally, to set out how the U.K. sees international law governing its own behavior in cyberspace. These are important observations concerning the U.K.’s developing narrative about cyber strategy. Dwyer and Martin are established and reliable sources, whose views we take seriously. Their intervention is a significant one in the public conversation about U.K. cyber strategy, particularly given its publication on Lawfare.
Because this critique deserves to be taken seriously, we are replying to it with what we believe is an important clarification—arguing that the recent attorney general’s speech was more interesting legally and potentially more significant strategically than Dwyer and Martin implied.
Non-intervention and Peacetime Cyber Operations
In May 2022, then-U.K. Attorney General Suella Braverman reaffirmed the U.K.’s position that sovereignty is a political principle of international relations rather than a legal rule of international law. Concerned that this would leave the U.K. exposed to a range of malicious cyber operations, Braverman proposed a more expansive interpretation of the principle of non-intervention. According to the International Court of Justice’s 1986 Nicaragua judgment, “coercion is the essence of intervention” and manifests where a state forces another state to do something that it otherwise wouldn’t. Put differently, conduct is coercive where it interferes with a state’s freedom of choice when it comes to determining matters falling within its sphere of sovereign authority.
Braverman advocated for a broader reading of the notion of coercion. For the attorney general, coercion describes acts that are “forcible, dictatorial, or otherwise coercive, depriving a State of its freedom of control over matters which it is permitted to decide freely by the principle of State sovereignty.” She also explained that the “scale and effect” of a cyber operation is relevant when determining whether a breach of the non-intervention principle has occurred. In this approach, conduct is coercive where it deprives a state of its freedom of control over matters falling within its domaine réservé.
The attorney general’s statement provides “illustrative examples” of coercive cyber operations that may run into conflict with the principle of non-intervention. As Dwyer and Martin explained, these examples pertain to four main areas or sectors—health care, the economy, energy, and democratic processes. For example, cyber operations are coercive where they cause hospital computer systems to cease functioning, prevent a state from managing its domestic economy, cause energy supply chains to stop functioning, and disrupt a state’s ability to hold democratic elections.
In their article, Dwyer and Martin criticize Braverman’s statement for being an “oversimplification” of the principle of non-intervention (a view shared by another prominent cyber security expert, Michael Schmitt). For them, the attorney general’s approach is problematic because its focus is on whether a cyber operation has a coercive effect on the target rather than on whether it has a coercive effect on the state, which runs counter to the principle of non-intervention—whose aim is to protect the sovereign authority of the state from outside intervention. But their criticism misses the point. Braverman does not shift the focus away from the state; on the contrary, she remains very much focused on the state in assessing a potential coercive effect: Does the scale and effect of the cyber operation deprive the state of its freedom of control over matters falling within its sovereign authority? When it comes to the principle of non-intervention, then, the attorney general’s objective is to shift the focus away from protecting the state’s freedom of choice to protecting its freedom of control. It is also important to note here that Braverman’s examples, used to illustrate the types of cyber operations that may breach the principle of non-intervention, all involve operations impacting the administration of critical national infrastructure or impeding the delivery of critical national services, which are demonstrably matters falling within the control, responsibility, and thus sovereignty of the state.
Cyber Diplomacy and Sectoral Specificity
The U.K. government is a very active participant in multilateral and multi-stakeholder discussions about responsible state behavior in cyberspace. A variety of forums exist to further these discussions—some of them under the umbrella of the United Nations, but many also comprising efforts of civil society groups and technology companies to advance the global conversation about cybersecurity. Examples of such initiatives have included the Cybersecurity Tech Accord, the Global Multistakeholder Meeting on the Future of Internet Governance (NETmundial), and the Paris Call for Trust and Security in Cyberspace. The politics and geopolitics of international deliberations about state behavior in cyberspace have always been difficult, but they arguably have never been as difficult as they are right now. The reintensification of Russia’s invasion of Ukraine in February 2022 has provided further evidence of malicious state behavior in cyberspace and makes it that much more difficult to achieve progress in cyber diplomacy.
In this context, therefore, it is tempting to interpret Braverman’s recent speech as a window into one possible future for cyber diplomacy’s next steps: the cultivation of more sector-specific discussions about what states should not do in cyberspace to undermine the critical infrastructure of other states. This might offer a more limited, and therefore more auspicious, focus for discussion between states on, for example, the need to protect the digital infrastructure underpinning health care or electoral systems. The iteration of specific examples in Braverman’s speech could be the basis for further discussion between states, adding further substance to the principles already agreed and affirmed in the UN processes. Focusing discussion on how states regard specific actions, rather than comparing interpretations of principles, potentially offers a productive avenue for cyber diplomacy.
Like any interaction between states, cyber diplomacy is a dynamic and uncertain process with no guarantee that agreements will be upheld or that progress is more likely than backsliding. In this scenario, there is value in the U.K. trying to move the global conversation forward. We contend that one way to interpret the attorney general’s speech is as a snapshot of that wider moving picture—an effort to maintain the incremental momentum in the direction of reinforcing and extending norms about responsible state behavior in cyberspace. We would argue that the speech was not intended as the last word, but as one step in a longer journey.
Coherence on Coercion: The Consistency of U.K. Thinking Over Time
Dwyer and Martin also criticize Braverman’s 2022 statement for failing to “relate” its analysis of the principle of non-intervention to the assessment of this principle advanced in 2018 by Braverman’s predecessor, Jeremy Wright. Dwyer and Martin argue that the 2018 statement adopted a more conventional reading of the non-intervention principle, more akin to the previously mentioned 1986 Nicaragua judgment. In their words: “How these two speeches work together in outlining the U.K.’s position … is far from clear. Simply, does the U.K. ascribe to conventional interpretations of coercion, to a novel interpretation that focuses on predefined targets, or a combination of the two?” In failing to tie together these different assessments of the principle of non-intervention, Dwyer and Martin argue that Braverman’s statement “risks clouding interpretation of the U.K.’s position on the scope of non-intervention.”
Dwyer and Martin’s criticism seems to miss both the continuity between the two attorney general speeches and the incremental developments in the more recent speech. Wright’s 2018 statement defined the principle in broad terms as “interference in another State’s sovereign freedoms” and expressly stated that “the precise parameters of this principle remain the subject of ongoing debate in the international community.” Evidently, the 2018 definition did not align itself with the narrower Nicaragua paradigm of “freedom of choice.” By referring to interference in a state’s “sovereign freedoms,” the 2018 statement left the definition of the principle of non-intervention deliberately broad and expressly stated that further clarification would be needed.
In 2022, we would argue, Braverman sought to provide a more detailed definition of the principle of non-intervention and, in particular, when cyber operations can be regarded as coercive. Moreover, the most recent statement gives further detail by providing a non-exhaustive list of illustrative examples of malicious cyber operations that may in practice breach this principle. While it is correct that further refinement of the U.K.’s position will be necessary over time, and while one may dispute whether the U.K.’s broader interpretation of the notion of coercion is congruent with international law as it currently stands, the U.K.’s approach across the 2018 and 2022 statements is both integrated and consistent. It clarifies rather than clouds the U.K.’s stance on non-intervention.
Rebutting the Ronan Keating Doctrine
In Jermey Fleming’s remarks that we quoted in the opening paragraph of this article, there is a fundamental tension at the center of this effort, especially when it comes to the increasingly public debate about the role of offensive cyber operations in national cyber strategies. Say too little, and risk failing to bring along public opinion or persuade other states of your good faith or point of view. Say too much, and risk undermining operational effectiveness.
In over a decade of published strategies and well-publicized speeches from senior political figures, law officers, and securocrats, the U.K. government has tried to meet this challenge—talking more openly about the existence of sovereign offensive cyber capabilities and their role in national strategy, but maintaining the discretion that Fleming signaled was operationally necessary. The U.K. has pursued a wide range of activities to develop its cyber strategy, fostering a domestic cybersecurity ecosystem, supporting global capacity-building, and also sponsoring academic research.
Dwyer and Martin criticize the attorney general for “what was not included” in the 2022 statement, namely, for saying “virtually nothing about how the U.K. uses, or might use, offensive cyber.” They argue that the attorney general’s reticence is a particular concern given the recent establishment of the National Cyber Force (which is tasked with conducting the U.K.’s offensive cyber operations) and proceed to draw an analogy with the U.K.’s regulation of its Special Forces: “The government acknowledges its existence but says nothing about what it does, even in outline terms.” This criticism leads Dwyer and Martin to conclude that “it’s hard for the U.K. to be credible in asserting its own position as a ‘responsible’ cyber power … while adopting what might be called the Ronan Keating doctrine for itself: saying it best when saying nothing at all.”
This is a version of the same problem highlighted at the beginning of this piece regarding Jeremy Fleming’s recent remarks about the need for operational discretion. Invoking the Goldilocks rider to the Keating doctrine, we could say it is about the difficulty of calibrating public remarks to get them “just right.” This is especially challenging in the case of public communication about a state’s offensive cyber capabilities and the circumstances in which it would use them. The objective is to say just enough to communicate successfully (for example, depending on the intended audience, to signal to adversaries, reassure allies, and/or build a constituency of informed public support domestically), while reducing the risk that increased openness might undermine operational effectiveness. One example of the U.K.’s effort to do so is the short description in the most recent National Cyber Strategy regarding the range of cyber operations conducted as part of the wider campaign to counter the Islamic State of Iraq and Syria (ISIS or Daesh).
We argue that, in addressing certain aspects of international law relevant to offensive cyber operations, the attorney general’s speech aims to strike this balance, providing further insight into the U.K.’s thinking, within the inevitable constraints that come when talking about sensitive issues. In this regard, we take issue with Dwyer and Martin’s criticism for two main reasons. First, they fail to recognize that the attorney general’s clarification about how the principle of non-intervention protects the U.K. from foreign cyber operations also gives important insights into how the U.K. sees this principle as limiting its own use of cyber capabilities. In short, non-intervention is a general principle of international law that both protects and constrains states in their international relations.
Second, Dwyer and Martin are correct that Braverman’s statement sidesteps some important questions about how international law may limit the U.K.’s use of offensive cyber operations. For example, she does not take a position on the legality of the important doctrine of collective countermeasures, leaving it “open to States to consider how the international law framework accommodates, or could accommodate, calls by an injured State for assistance in responding collectively.” Again, we would interpret this as an example of the speech being part of a process and not the last word on U.K. cyber strategy. Thus, the attorney general’s reluctance to be pinned down on this issue in this speech should not be interpreted as undermining the U.K.’s reputation as a responsible cyber power. Whether the doctrine of collective countermeasures is established in customary law is in fact highly contested, as the International Law Commission’s work on the law of state responsibility in 2001 demonstrates. In fact, since 2001 this dispute arguably has become more acute, not less. For example, in 2019 Estonia seemed to argue that collective countermeasures are permissible under international law, while a couple of months later one of its NATO allies, France, appeared to take the opposite view.
When it comes to areas of international law that are in a state of flux, and where the policy and legal implications of a particular approach need to be properly thought through, states are perfectly entitled to reserve their position on these matters. In fact, taking the time to “get it right” and articulate well-reasoned and fully informed interpretations of international law is actually a good indicator of responsible cyber power in practice.
Conclusion
Admirably, the U.K. government has been active in global cyber diplomacy and in trying to advance a public narrative—for domestic and international audiences—about what responsible state behavior looks like in cyberspace. The recent attorney general’s speech should be seen as a further step in that process, in the same way that Jeremy Fleming’s recent remarks are about cyber strategy in the context of the war in Ukraine. Today, the geopolitics of cyber diplomacy are arguably even more fraught than ever. As each new month seems to bring more revelations about the digital vulnerability of some integral aspect of everyday life—be that energy, financial, or health care—states have a duty not only to develop their own domestic cybersecurity strategies but also to collaborate in pursuit of stability in cyberspace. That process must involve both governments and stakeholders. Over more than a decade, the U.K. has cultivated a role for itself as a leading advocate for responsible state behavior in cyberspace. We believe that the recent evidence indicates that it will continue to play this constructive role in the patient, collaborative effort to improve global cybersecurity.
No comments:
Post a Comment