International law applies to cyber operations – but views differ on exactly how. Does state-sponsored interference in another state's affairs using cyber means – for example,  disinformation campaigns in elections, disabling government websites, or disrupting transport systems – breach international law? If so, on what basis and how are the principles of sovereignty and non-intervention relevant? States are increasingly attributing cyber operations to other states and engaging in the debate on how international law applies, including circumstances that would justify countermeasures.

As states meet to debate these issues at the UN, the panel will explore how international law regulates cyberoperations by states, consider the prospects of progress at the UN, and assess the value of other initiatives.

This event coincides with the launch of a Chatham House research paper which analyses how the principles of sovereignty and intervention apply in the context of cyberoperations, and considers a way forward for agreeing a common understanding of cyber norms.

This event will bring together a broad group of actors, including policymakers, the private sector, legal experts and civil society, and will be followed by a drinks reception.

Summary

• The vast majority of state-to-state cyberattacks consist of persistent, low-level intrusions that take place below the threshold of use of force. International law, including the principle of non-intervention in another state’s internal affairs and the principle of sovereignty, applies to these cyber operations.
• It is not clear whether any unauthorized cyber intrusion would violate the target state’s sovereignty, or whether there is a threshold in operation. While some would like to set limits by reference to effects of the cyber activity, at this time such limits are not reflected in customary international law. The assessment of whether sovereignty has been violated therefore has to be made on a case by case basis, if no other more specific rules of international law apply.
• In due course, further state practice and opinio iuris may give rise to an emerging cyber-specific understanding of sovereignty, just as specific rules deriving from the sovereignty principle have crystallized in other areas of international law.
• Before a principle of due diligence can be invoked in the cyber context, further work is needed by states to agree upon rules as to what might be expected of a state in this context.
• The principle of non-intervention applies to a state’s cyber operations as it does to other state activities. It consists of coercive behaviour by one state that deprives the target state of its free will in relation to the exercise of its sovereign functions in order to compel an outcome in, or conduct with respect to, a matter reserved to the target state.
• In practice, activities that contravene the non-intervention principle and activities that violates sovereignty will often overlap.
• In order to reach agreement on how international law applies to states’ cyber operations below the level of use of force, states should put their views on record, where possible giving examples of when they consider that an obligation may be breached, as states such as the UK, Australia, France and the Netherlands have done.
• Further discussion between states should focus on how the rules apply to practical examples of state-sponsored cyber operations. There is likely to be more commonality about specific applications of the law than there is about abstract principles.
• The prospects of a general treaty in this area are still far off. In due course, there may be benefit in considering limited rules, for example on due diligence and a prohibition on attacking critical infrastructure, before tackling broad principles.

After President Trump decided to halt a missile attack on Iran in response to the downing of a US drone, it was revealed that the US had conducted cyberattacks on Iranian weapons systems to prevent Iran launching missiles against US assets in the region.

This ‘left-of-launch’ strategy – the pre-emptive action to prevent an adversary launch missiles – has been part of the US missile defence strategy for some time now. President George W Bush asked the US military and intelligence community to infiltrate the supply chain of North Korean missiles. It was claimed that the US hacked the North Korean ballistic missile programme, causing a failed ballistic missile test, in 2012.

It was not clear then – or now – whether these ‘left-of-launch’ cyberattacks aimed at North Korea were successful as described or whether they were primarily a bluff. But that is somewhat irrelevant; the belief in the possibility and the understanding of the potential impact of such cyber capabilities undermines North Korean or Iranian confidence in their abilities to launch their missiles. In times of conflict, loss of confidence in weapons systems may lead to escalation.

In other words, the adversary may be left with no option but to take the chance to use these missiles or to lose them in a conflict setting. ‘Left of launch’ is a dangerous game. If it is based on a bluff, it could be called upon and lead to deterrence failure. If it is based on real action, then it could create an asymmetrical power struggle. If the attacker establishes false confidence in the power of a cyber weapon, then it might lead to false signalling and messaging.

This is the new normal. The cat-and-mouse game has to be taken seriously, not least because missile systems are so vulnerable.

There are several ways an offensive cyber operation against missile systems might work. These include exploiting missile designs, altering software or hardware, or creating clandestine pathways to the missile command and control systems.

They can also be attacked in space, targeting space assets and their link to strategic systems.

Most missile systems rely, at least in part, on digital information that comes from or via space-based or space-dependent assets such as: communication satellites; satellites that provide position, navigation and timing (PNT) information (for example GPS or Galileo); weather satellites to help predict flight paths, accurate targeting and launch conditions; and remote imagery satellites to assist with information and intelligence for the planning and targeting.

Missile launches themselves depend on 1) the command and control systems of the missiles, 2) the way in which information is transmitted to the missile launch facilities and 3) the way in which information is transmitted to the missiles themselves in flight. All these aspects rely on space technology.

In addition, the ground stations that transmit and receive data to and from satellites are also vulnerable to cyberattack – either through their known and unknown internet connectivity or through malicious use of flash drives that contain a deliberate cyber infection.

Non-space-based communications systems that use cable and ground-to-air-to-ground masts are likewise under threat from cyberattacks that find their way in via internet connectivity, proximity interference or memory sticks. Human error in introducing connectivity via phones, laptops and external drives, and in clicking on malicious links in sophisticated phishing lures, is common in facilitating inadvertent connectivity and malware infection.

All of these can create a military capacity able to interfere with missile launches. Malware might have been sitting on the missile command and control system for months or even years, remaining inactivated until a chosen time or by a trigger that sets in motion a disruption either to the launch or to the flight path of the missile. The country that launches the missile that either fails to launch or fails to reach the target may never know if this was the result of a design flaw, a common malfunction or a deliberate cyberattack.

States with these capabilities must exercise caution: cyber offence manoeuvres may prevent the launch of missile attacks against US assets in the Middle East or in the Pacific regions, but they may also interfere with US missile launches in the future. Even, as has recently been revealed, US cyber weapons targeting an adversary may blow back and inadvertently infect US systems. Nobody is invulnerable.

International law applies to cyber operations – but views differ on exactly how. Does state-sponsored interference in another state's affairs using cyber means – for example,  disinformation campaigns in elections, disabling government websites, or disrupting transport systems – breach international law? If so, on what basis and how are the principles of sovereignty and non-intervention relevant? States are increasingly attributing cyber operations to other states and engaging in the debate on how international law applies, including circumstances that would justify countermeasures.

As states meet to debate these issues at the UN, the panel will explore how international law regulates cyberoperations by states, consider the prospects of progress at the UN, and assess the value of other initiatives.

This event coincides with the launch of a Chatham House research paper which analyses how the principles of sovereignty and intervention apply in the context of cyberoperations, and considers a way forward for agreeing a common understanding of cyber norms.

This event will bring together a broad group of actors, including policymakers, the private sector, legal experts and civil society, and will be followed by a drinks reception.

Summary

• The vast majority of state-to-state cyberattacks consist of persistent, low-level intrusions that take place below the threshold of use of force. International law, including the principle of non-intervention in another state’s internal affairs and the principle of sovereignty, applies to these cyber operations.
• It is not clear whether any unauthorized cyber intrusion would violate the target state’s sovereignty, or whether there is a threshold in operation. While some would like to set limits by reference to effects of the cyber activity, at this time such limits are not reflected in customary international law. The assessment of whether sovereignty has been violated therefore has to be made on a case by case basis, if no other more specific rules of international law apply.
• In due course, further state practice and opinio iuris may give rise to an emerging cyber-specific understanding of sovereignty, just as specific rules deriving from the sovereignty principle have crystallized in other areas of international law.
• Before a principle of due diligence can be invoked in the cyber context, further work is needed by states to agree upon rules as to what might be expected of a state in this context.
• The principle of non-intervention applies to a state’s cyber operations as it does to other state activities. It consists of coercive behaviour by one state that deprives the target state of its free will in relation to the exercise of its sovereign functions in order to compel an outcome in, or conduct with respect to, a matter reserved to the target state.
• In practice, activities that contravene the non-intervention principle and activities that violates sovereignty will often overlap.
• In order to reach agreement on how international law applies to states’ cyber operations below the level of use of force, states should put their views on record, where possible giving examples of when they consider that an obligation may be breached, as states such as the UK, Australia, France and the Netherlands have done.
• Further discussion between states should focus on how the rules apply to practical examples of state-sponsored cyber operations. There is likely to be more commonality about specific applications of the law than there is about abstract principles.
• The prospects of a general treaty in this area are still far off. In due course, there may be benefit in considering limited rules, for example on due diligence and a prohibition on attacking critical infrastructure, before tackling broad principles.