State Cyber Operations and International Law: Russian and Western Approaches

Home , DCLeaks, Operation Olympic Games, Regin (malware)

THESIS

Presented in Partial Fulfillment of the Requirements for the Degree Master of Arts in the Graduate School of The Ohio State University

Brandon S. Davis

Graduate Program in Slavic & East European Studies

The Ohio State University

2018

Master's Examination Committee:

John B. Quigley, J.D., Advisor

Richard K. Herrmann, PhD

Copyrighted by

Brandon S. Davis

2018

Abstract

Cyber operations for the purpose of furthering state power, wealth, and influence are a relatively recent historical development. State cyber operations have consistently increased in scale, scope, and frequency since the mid-1990s. The trend marks a transition from the use of conventional conflict to the use of cyber operations as a key component to protecting and advancing national interests. The Westphalian international order has provided nation-states with a robust set of laws and norms that govern conventional and nuclear armed conflict. However, cyberspace is an increasingly contested domain with minimal international governance or agreement on its use as nation-states do not uniformly understand and apply international law to cyberspace. The Russian Federation has been actively challenging US cyberspace dominance for the previous decade, reshaping international cyberspace norms. The US must establish and maintain an effective cyberspace strategy that is uniquely suited to Russia’s application of cyber operations. In order for the US strategy to adequately provide security for the nation’s economy, infrastructure, and democratic institutions, it must take into account the distinction between the

Western and Russian application of international law to state cyber operations. Russian scholars differ from Western legal scholars in four aspects; 1) Russian scholars differ in their understanding of the relationship between state sovereignty and cyberspace, 2) Russian experts generally do not view the current international framework as a sufficient guiding body for establishing legal norms in cyberspace, 3) Russia’s concept of self-defense in cyberspace changes with the strategic environment, and 4) The country emphasizes “information security” as opposed to “cyber security,” which has impacts on international human rights.

Vita

May 2002 ...... Tri-Valley High

2006...... B.A. Criminal Justice, Bowling Green State

University

2012...... M.A. Criminal Justice, Troy University

2015...... A.A. Russian Language, Defense Language

Institute, Foreign Language Center

2006 to present ...... U.S. Army Officer

Fields of Study

Major Field: Slavic and East European Studies

iii

Table of Contents

Abstract ...... ii

Table of Contents ...... iv

List of Figures ...... vi

Chapter 1: Introduction ...... 1

Chapter 2: Current Cyberspace Operating Environment ...... 3

Russia’s Utilization of Cyber Operations...... 4

Estonia ...... 6

Georgia ...... 10

Ukraine ...... 14

United States ...... 18

United States’ Utilization of Cyber Operations ...... 23

Iran ...... 23

North Korea ...... 25

Espionage...... 25

Chapter 3: Cyber Operations and International Law ...... 27

Western Approaches ...... 28

Sovereignty ...... 29

Due Diligence ...... 30 iv

Jurisdiction...... 31

Internationally Wrongful Cyber Acts ...... 32

Attribution ...... 33

Countermeasures ...... 34

Espionage...... 36

International Human Rights Law ...... 37

Use of Force...... 39

Armed Attack and Self-defense ...... 40

Collective Security ...... 43

Russian Approaches ...... 44

Sovereignty ...... 46

Current International Legal Framework Versus New Treaty System ...... 48

Self-Defense ...... 52

Cyber Security vs. Information Security and International Human Rights Law...... 55

Chapter 4: Implications and Conclusion ...... 59

References ...... 61

List of Figures

Figure 1: Cyber Incidents Over Time (n=208), and Top Nation States (n=162) ...... 4

Figure 2: Levels of Cyber Operations ...... 41

Chapter 1: Introduction

The US has become increasingly concerned with cyber operations only within the last ten years, and this is evident in the analysis of previous NSS (National Security Strategies). In 1997,

President Clinton mentioned “cyber” zero times in his NSS (United States Executive Office of the President). In President Trump’s 2017 NSS, “cyber” is noted 45 times (United States

President). The US has increasingly recognized the threat to its dominance of cyberspace and the potential security implications this has on the country. US cyberspace dominance is being actively challenged by many state and non-state actors. These actors include North Korea, China, and ISIS. However, with a well-developed cyber strategy, the Russian Federation has been particularly challenging to US cyberspace dominance for the past decade, reshaping international cyberspace norms. The US must establish and maintain an effective cyber strategy that is uniquely suited to Russia’s application of operations.

In order for this strategy to adequately provide security for the nation’s economy, infrastructure, and democratic institutions, it must take into account the distinction between

Western and Russian applications of international law to state cyber operations. Russian scholars and policymakers differ from Western legal scholars in four aspects: 1) Russian scholars differ in their understanding of the relationship between state sovereignty and cyberspace, 2) Russian experts generally do not view the current international framework as a sufficient guiding body for establishing legal norms in cyberspace, 3) Russia’s concept of self-defense in cyberspace changes with the strategic environment, and 4) The country emphasizes “information security” as opposed to “cyber security,” which has impacts on protection of international human rights.

This paper seeks to illuminate these differences through analysis of the current operational environment and the application of international law to cyber operations. To this end, the research provides various understandings and applications of cyber operations with respect to jus ad bellum through relevant case studies and offers an approach for US policymakers to address these differences in legal ideology.

Chapter 2: Current Cyberspace Operating Environment

State cyber operations have been continuously increasing in scale, scope, and frequency for the last two decades. Cyber operations have been carried out by a number of countries.

However, for the purposes of this research, only US and Russian actions will be examined in depth. The Council on Foreign Relations (CFR) maintains a database of publicly-known state cyber operations since 2005 and this research utilizes the six categories of cyber operations as defined by the CFR. The CFR list of cyber operations includes Distributed Denial of Service

(DDoS), espionage, defacement, data destruction, sabotage, and doxing.

DDoS is defined as the intentional paralyzing of a computer network by flooding it with data sent simultaneously from many individual computers. Espionage is the act of obtaining confidential information without the information holder’s consent. Defacement is the unauthorized act of changing the appearance of a website or social media account. Data destruction is the use of malicious software to destroy data on a computer or to render a computer inoperable. Sabotage is the use of malware that causes a disruption to a physical process, such as the provision of electricity or normal function of nuclear centrifuges. Finally, doxing is the act of searching and publishing private or identifying information about an individual or group on the internet, typically with malicious intent (Council on Foreign

Relations). Figure 1 below shows the number of state cyber operations year on year and the nation-states allegedly responsible for the highest number of cyber operations. There are limitations to the CFR data due to difficulties in certainty of attribution.

Figure 1: Cyber Incidents Over Time (n=208), and Top Nation States (n=162) Source: Sasha Romanosky, RAND Corporation, utilizing data compiled by CFR at https://www.cfr.org/blog/tracking-state-sponsored-cyber-operations

Russia’s Utilization of Cyber Operations

At one time in Russia’s history, the state encompassed one-sixth of the world’s land mass, was the fifth largest industrial power, and the world’s leading agriculture exporter.

However, the great military victories over Sweden, France, and Nazi Germany have been overshadowed by its defeat in the Crimean War in 1856, the Russo-Japanese War, WWI, and the

Cold War. Russia’s historical inability to keep pace with the other great powers of various times throughout history have led to a consistent tendency of Russian leaders to suddenly and rapidly attempt to close the gap in geopolitical power (Kotkin 2).

Russian President Vladimir Putin is no exception to this trend of attempting to close the gap between Russia and the West. He has come to realize that geographical territory is not necessarily the indicator of geopolitical power in the twenty-first century. A combination of unappreciated Russian exceptionalism, Post-Soviet loss of geographical territory, and feelings of geographical and political vulnerability has led Russia to take a foreign policy stance of 4 defensive aggression (Kotkin 4). Russia’s global reach is formed through a combination of its seat as a permanent member of the UN security council, its nuclear arsenal, and robust cyber warfare capabilities. Cyber warfare capabilities are now a critical component to Russian foreign policy and its attempt to maintain a global geopolitical reach. What the West refers to as “cyber operations,” Russia calls “information operations” or “информационная война” (Connell,

Vogler and CNA Corporation 3).

Russian information warfare is an overarching notion that is comprised of computer network operations, electronic warfare, psychological operations, and information operations.

What the West would call cyber operations in this sense are a component of information warfare.

According to the 2010 Military Doctrine of the Russian Federation, information warfare may be used in order to achieve political objectives without the use of military force, and in the event military force is necessary, it can be used in order to shape a favorable response by the world community (Connell, Vogler and Corporation 3).

Since 2007, Russia has allegedly carried out at least 43 attributable cyber operations against other nation-states, 20 of which were against the United States. The preponderance of the operations fell into the espionage category. Three operations were DDoS attacks, two were classified as defacement, and two fell into the category of data destruction. The most alarming operations are the two classified as sabotage. One of these attacks was carried out against the

Prikarpattiaoblenergo Electric Company in Eastern Ukraine and another successfully targeted the

Ukrenergo Electric Company in Kiev. Both of these attacks compromised the energy grid and led to a power outage (Segal "Tracking State-Sponsored Cyber Operations").

Estonia

Russia executed its first large-scale cyber-attack against Estonia in April-May of 2007.

The operation is believed to be in response to Estonia’s decision to move a bronze statue of a

Soviet soldier to a more remote location from central Tallinn, which was seen as an affront against the nearly 26% ethnic Russian population (Connell, Vogler and CNA Corporation 19).

During protests that ensued in late April, DDoS attacks targeted the webpages of Estonia’s parliament, political parties, banks, and media outlets. After the first wave of attacks were defeated through international efforts, another wave of attacks began on May 9th, the Russian

Day of Victory. This wave of attacks continued to utilize botnets (hijacked computers) from around the world to target government, banking, and media websites. Estonia’s largest bank was forced to shut down its online operations and hackers defaced websites by posting their own information in place of authentic data. The operations persisted until late May (Connell, Vogler and CNA Corporation 20). Multiple factors, including the timing of the attacks, the wide-ranging effects, and strategic choice of political and economic targets led many to immediately believe the Russian government was responsible for the attack. After over a decade of investigation, the international community supports the initial belief with a high degree of confidence. If Russia was responsible for the attack, many lessons can be drawn from the event.

Russia showed that it is not deterred from executing cyber operations against a NATO member and that it maintains a relatively low threshold for deploying offensive cyber operations.

The catalyst to the event was the removal of a bronze statue. This is a seemingly low trigger to authorize an offensive DDoS operation. At the conclusion of May 2007, Russia was beginning to realize that even though Estonia was a NATO ally, the alliance was not prepared to take

6 meaningful action against the DDoS attacks. If one asserts the attacks were designed to prevent the removal of the statue, the desired effect was not realized. However, they did indicate to

Russia that a cyber blockade in concert with additional instruments of national power can be an effective method of effecting some level of change (Connell, Vogler and CNA Corporation 22).

One of the lessons learned for the global community was that in an era of interconnectedness, when most countries contain robust computer infrastructure, cyber operations are becoming increasingly easier to execute and more difficult to defend against.

Secondly, even though the international community was nearly unanimous in its condemnation of Russia for the attack, the inability to collect definitive proof of attribution persists. Cyber operators may route an attack through a non-participating country, making their exact location or allegiance unknown. Thirdly, the global community was faced with the realization that cyberspace can and had been militarized to further a state’s interest (Ottis 167). Finally, NATO was forced to come to terms with the development that a decades long conventional military and nuclear strategy was not enough to protect its allies from an adversary violating their sovereignty.

The impetus of NATO’s Cyber Defense Program came after NATO experienced DDoS cyber-attacks during Operation Allied Force in Kosovo from pro-Serbian hacktivists attempting to disrupt the alliance’s operations. The NATO Computer Incident Response Capability

(NCIRC) was established as a result during the 2002 Prague Summit, which strove to ensure detection of cyber-attacks, protect NATO networks against them, and provide information and assistance to those affected. However, the protection of Allies’ national networks was not addressed by this capability (Joubert, College and North Atlantic Treaty 1).

The alleged Russian cyber operations in Estonia triggered a request by the state for emergency assistance to defend its infrastructure. Minister of Defence Jaak Aaviksoo called the attack a threat to the security of the entire nation. The exposure of the Cyber Defense Program’s inadequacies also revealed legal questions with respect to Article 4 and 5 of the North Atlantic

Treaty as well as where cyber operations are situated within international law. The alleged

Russian cyber-attack against Estonia triggered the international discussion about how jus ad bellum (The conditions under which a state may report to the use of force) and jus in bello

(regulation of armed conflict) apply to cyber operations, the extent to which a state can be considered responsible for cyber-attacks launched from its territory, and the general underlying concern whether existing international and national laws provide a sufficient framework for classifying and responding to cyber operations. Ultimately, NATO began to analyze the existing international legal framework and develop a congruent cyber strategy (Joubert, College and

North Atlantic Treaty 3).

NATO maintains a long strategy of deterrence with respect to conventional and nuclear security, reaching back to its formation in 1949. The organization has utilized a combination of deterrence by denial and deterrence by punishment, mainly in its strategy to address the Soviet and Russian conventional and nuclear threat. Deterrence by denial requires a large set of defensive capabilities that prevent an adversary from achieving its objectives. Deterrence by punishment occurs when a state asserts that it will meet a specific action with a defined retaliatory measure. Traditional deterrence by denial and punishment strategies are difficult to simply transpose with cyber threats due to the domain’s constantly changing environment, defense capability, and the issue of attribution. In creating an effective cyber strategy, NATO has

8 encountered issues pertaining to attribution, the appropriate levels of response, determining the appropriate threshold for response, determining intent, and addressing third party involvement

(Joubert, College and North Atlantic Treaty 3).

Based on lessons learned from the Estonia attack, NATO took steps to increase cyber defense at the organizational level. At the Bucharest Summit in 2008, a revised cyber policy created the Cyber Defense Management Authority, which was charged with initiating and coordinating immediate and effective cyber defense action. Possibly the most important reaction to the attack was the creation of the NATO Cooperative Cyber Defense Center of Excellence

(CCD CoE), located in Tallinn. The CCD CoE is comprised of volunteer countries that are dedicated to cyber defense research, including policies, legal framework, and strategy. The

Center has been at the forefront of research on the applicability of international law to cyber warfare and has released two robust publications on the topic since its inception in 2008.

However, the Center is not an official arm of NATO. It is merely an advisory body that does not act militarily in the event a cyber operation is aimed at the alliance (Joubert, College and North

Atlantic Treaty 5).

NATO currently relies on a deterrence by denial approach, which is wholly insufficient to address the issue of cyber-attacks. Shoring up defenses is simply not enough to thwart an adversary. Cyber operations compared to conventional or nuclear operations require miniscule amounts of funding. Data suggests that cyber operations are continuously growing in scale, scope, and frequency, which demonstrates a general failure of NATO’s deterrence by denial strategy. An adversary that does not succeed in reaching its objectives today is not deterred from

9 trying again tomorrow. Part of the failure in strategy is not understanding Russia’s international law ideological framework.

The cyber operation against Estonia served as a significant benchmark for international law scholars, policymakers, and strategists. The operation was the largest to date that challenged a state’s sovereignty and triggered an international discussion on the degree to which Estonia’s sovereignty was violated and in what manner. Each nation-state’s understanding of how cyber operations relate to the violation of state sovereignty has significant impacts on policy and strategy formulation. Additionally, Estonia clearly viewed the operation as a violation of sovereignty by Russia. As a result, cyber operations were being analyzed for applicability to jus ad bellum. Following the operation, cyber warfare and cyber operations were still neatly situated beyond political understanding and legal consequences (Green 83,85).

Georgia

Russia’s next significant use of cyber operations occurred during the Russo-Georgian

War in 2008. Russia’s full scale invasion of Georgia on August 8, 2008 occurred after a period of mounting tension between the two states. The separatist republics of Abkhazia and South

Ossetia were one point of contention between the two states. The 1991-92 First South Ossetian

War ended in a Russian brokered peace, emplacing a Georgia-Russia-South Ossetia peacekeeping force within the Russian recognized separatist republic. Russia had a greater military involvement in the similar Abkhazian war from 1992-93 and was able to gain increased influence in Transcaucasia. Russian influence within South Ossetia and Abkhazia was

10 challenged when Georgia responded with military force on August 7, 2008 to South Ossetia’s bombing of Georgian villages.

Russia was becoming increasingly concerned with Georgia’s warming relations with the

West, specifically NATO’s declaration at the 2008 Bucharest Summit that it would welcome

Georgia to the alliance upon the completion of the MAP (Membership Action Plan) (NATO).

Russia’s response to these tensions came on August 8, 2008 with a full-scale invasion of South

Ossetia and Abkhazia as well as air strikes within the interior of Georgia. The invasion marked the first instance where wide-scale cyber operations were utilized in concert with conventional operations in order to accomplish tactical, operational, and strategic objectives (Connell, Vogler and CNA Corporation 17). Operations included DDoS attacks against Georgian networks that cut off government communications and defaced government websites. Services were also disrupted at Georgian banks, transportation companies, and private telecommunications providers (Connell, Vogler and CNA Corporation 17). Cyberspace provides anonymity and difficulty in establishing attribution and the cyber operations in the Russo-Georgian War were no exception.

Russian hacktivist websites distributed lists of targets with associated malware and instructions, which could be used by anyone wishing to assist in the invasion from around the globe. Botnets that were ultimately traced back to Russia led to a virtual cyber blockade during the Russian invasion. The Russian government officially denied involvement, but subsequent evidence demonstrates Russian facilitation of the attacks. The detailed planning and timing involved with such an operation required knowledge of the timeline and nature of the invasion

11 well in advance. Additionally there is evidence that cyber operations were sequenced in accordance with specific operations within Georgia (Connell, Vogler and CNA Corporation 17).

The Russo-Georgia conflict raised significant international issues with respect to cyber operations. One of these issues was the concept of cyber neutrality. When cyber operations rendered the Georgian governmental cyber infrastructure inoperable, it turned to US companies to provide alternate IXPs (Internet Exchange Provider) that could allow the government to communicate again. However, the private US companies agreed to assist Georgia outside of government oversight or approval. This raised a significant international question: Could cooperation between the Georgian government and US private companies be seen as a violation of the United States’ status as a neutral party (Korns and Kastenberg)?

The Hague (V) Convention of 1907 outlines the rights and duties of neutral powers and persons in war on land. Article 1 states that the territory of neutral powers is inviolable.

According to Article 2 of the Convention, belligerents in a conflict are forbidden to move troops or convoys of either munitions of war or supplies across the territory of a neutral power.

Additionally, Article 5 provides that a neutral power must not allow the acts referred to in Article

2 to occur on its territory. Thus, the violation of Articles 2 or 5 may jeopardize its status as a neutral nation according to the Geneva (V) Convention of 1907 (United et al.). Cyber operations are a relatively new form of conflict, which has not been sufficiently explored in relation to international law. Whether cyber operations can meet the threshold for an armed attack is still undetermined and will be the topic for discussion in subsequent chapters. The challenge for US cyber strategists is how to plan for increased levels of state cyber operations that involve the question of US cyber neutrality (Korns and Kastenberg).

The private web hosting company Tulip Systems (TSHost) contacted Georgian officials on August 8, 2008 and offered assistance in rebuilding Georgia’s lost internet capacity. The

Georgian government began to utilize TSHost IXPs located in the US. A private American company, which had received no approval from the US government to take such actions, had singlehandedly challenged the relationship between cyberspace and state cyber operations.

TSHost assumed the role of protector by allowing Georgian cyber operations to “retreat” to the

US. After allowing Georgian sites to operate through TSHost’s IXPs, it too experienced cyber- attacks against its infrastructure. This has been termed Georgia’s “cyber left hook.” Estonia utilized its infrastructure to defend in place in 2008, where Georgia chose to maneuver in the face of a massive DDoS cyber operation (Korns and Kastenberg).

While this may seem appropriate in principle against clear Russian aggression, US policymakers are concerned about cyber neutrality and how private technology companies in the

US can affect cyber neutrality status. Article 6 of The Hague (V) Convention of 1907 may provide a legal separation between the government and private technology companies. The responsibility of a neutral power is not engaged by persons crossing the frontier to offer their services to one of the belligerents (United States et al.). The US government was effectively unawarene of TSHost’s actions, which safeguards its cyber neutrality. Policymakers must create procedures within the nation’s cyber strategy to ensure cyber neutrality. It must be proactive in communicating the nation’s intentions with respect to cyber operations in the face of an international conflict as well as ensure that private companies are aware of how their actions can affect international treaties.

There remain many unanswered legal questions that were raised as a consequence of the

Russo-Georgia War. Geographic boundaries are traditional measures for the violation of sovereignty. The international community has yet to define what constitutes a violation of a state’s cyber sovereignty, especially in a conflict involving both cyber and conventional operations. The international community is divided on whether the Law of Armed Conflict can be applied to cyber warfare and to what degree. Finally, in light of the fact that Russian conventional operations were preceded by cyber operations in order to prepare the battlefield, experts began to examine the idea of anticipatory self-defense in response to such operations.

Ukraine

There is strong indication that Russia has been conducting similar DDoS attacks against

Ukrainian government, military, telecommunications, and private information technology (IT) systems since 2013. DDoS and espionage operations have been effective in interrupting communications, obtaining and leaking government documents, and crippling public and private websites. However, beginning in December of 2015, Russia again increased the scale and scope of cyber operations against an adversary.

Most of the cyber operations Russia utilized against Ukraine were situated neatly in a category one may refer to as nuisance effects. The DDoS and espionage operations clearly disrupted Ukrainian governmental activities, but there was no indication of physical damage to infrastructure or interruption of tangible services. However, on December 23, 2015, Russian hackers executed a cyber operation that crippled three Ukrainian oblenergos (energy company), leaving approximately 225,000 customers without power for hours (SANS ICS iv). The

14 operation marked the first time that a cyber operation resulted in a power outage. This was an extremely well-coordinated operation that was directed at the regional distribution level. The operation, now classified as sabotage, involved nearly seven months of reconnaissance, targeting, intrusion, and exploitation prior to the power outage. While power was restored to the population within several hours, a Department of Homeland Security report states that the affected oblenergos continue to function in an operationally constrained mode as a result of the attack (SANS ICS v).

Authorities at the oblenergos believe that legitimate access credentials were utilized to facilitate remote access of electric breakers during the attack. Independent analysis has suggested that the operation was carried out by a combination of nation-state actors and cyber criminals, in which cyber criminals gained information on the substations and passed it to state authorities for action. Ukraine vehemently holds Russia responsible for the operations and there is reason to believe it had political motivation to execute such an attack. In the months after Russia annexed

Crimea, Crimean authorities began to nationalize Ukrainian-owned power companies on the peninsula, which frustrated Ukrainian owners. Pro-Ukrainian activists physically attacked

Crimean substations in December of 2015, which left the Russian naval base Sevastopol and nearly 2 million residents without power. Some analysts indicate that the December 2015 cyber operation was in retaliation for the previous physical attacks (Zetter).

Another possible motivation for the Russian cyber operation against the power grid is the move by the Ukrainian Parliament to nationalize all of the country’s electric companies.

Ukrainian power company owners close to Putin had a vested interest in a parliamentary measure failing. This is further evidenced by the revelation that the cyber operation could easily have

15 caused permanent damage to the power infrastructure. The hackers maintained the tools to physically destroy substation equipment and refrained from doing so, leading some analysts to suggest that the operation was primarily designed to send a message to the Ukrainian government or Ukrainian-backed separatists that Russia can easily counter any attempt to encroach on business interests or the electrical supply of Crimean residents (Zetter).

Another cyber sabotage operation targeted the Kiev electrical company Ukrenergo nearly a year after the first attack. Widely assessed to be the work of the Russian government, this second attack shows an increased capacity for effectiveness and is viewed as a “trial run” for a larger operation in the future. The attack on Ukrenergo occurred on December 20, 2016 and caused a blackout for about an hour for one-fifth of the city’s residents. In the 2015 operation, hackers manually gained access to the substation networks and switched off power. The 2016 operation was fully automated and contained the ability to directly communicate with the substation switches and also cause physical damage to the systems upon command (Greenberg).

Russia’s most recent cyber-attack is believed to be the mock ransomware virus

“NotPetya” and is classified as data destruction. In January of 2018, The CIA (Central

Intelligence Agency) determined with “high confidence” that the Russian GRU (Главное

Разведывательное Управление, Main Intelligence Directorate) created the virus. NotPetya mainly targeted Ukraine on June 28, 2017 in an effort to disrupt the country’s banking system, but also affected systems in Denmark, India, and the United States. The virus, disguised as a ransomware attack and delivered on Ukraine’s Constitution Day, permanently wiped data from computer systems and rendered some systems unrecoverable (Nakashima).

The domestic and international response to Russian cyber operations in Ukraine is varied.

Because the sabotage operation aimed at Ukraine’s power grid was only hours in duration, the immediate international response was limited. Substation workers were able to identify the operations and switch control of the substations to manual mode and restore power to the population. Ukraine promptly pointed to Russian involvement and subsequent studies have agreed on some level of Russian government involvement. Additionally, cyber operations targeting Ukraine have persisted for nearly four years with some level of Russian attribution. The continuous onslaught of attacks has gained international attention and action, specifically from

NATO.

While Ukraine is not a NATO member, the military alliance has taken measures to enhance Ukraine’s cyber defenses as well as modify its response criteria in the wake of attacks against member countries. At a press conference in Brussels in June of 2017, Secretary

Stoltenberg noted that the alliance now defines cyberspace as a domain on par with land, sea, and air operations, and would see the requisite funding and planning as a result. He also stated that alliance members have agreed a cyber-attack could trigger Article 5 of the treaty in the same manner as a conventional attack (Oliphant and McGoogan). NATO’s acceptance of cyber operations as a possible armed-attack has significant applications to international law and will be explored in Chapter 3.

The alliance also made direct comparison to its response during and following the 2007

Estonia cyber-attacks. At the International Conference on Cyber Conflict in May of 2017, NATO officials told delegates that the alliance would deliver a robust response in the event of a serious and prolonged attack on a member state in cyberspace, including invoking Article 5. The

Assistant Cyber Chief of Staff at NATO SHAPE (Supreme Headquarters Allied Power Europe),

Brig. Gen. Christos Athanasiadis stated that NATO would now take a very different and offensive posture if a cyber-attack event similar in scale to the 2007 Estonia attack were to occur under the present posture (O'Dwyer).

What might be considered a “serious and prolonged attack on a member state” is rife with ambiguity and is another point of contention for international law. Cyber operations do not cleanly fall above or below the level of armed conflict as international law was written largely for conventional warfare. Military alliances and nation-states are becoming increasingly concerned with cyber-attacks against their countries and developing cyber strategies to respond.

Where cyber operations fall according to the international law is of ever increasing importance and the Western-Russian approaches are incongruous to date. Cyber strategists are faced with recommending policy that is either congruent with current understanding of how cyber operations are situated within international law or utilizing the current ambiguity for more flexible operations.

United States

Russian operations relating to the 2016 US presidential election have been the most widely analyzed by US experts in recent history. The intelligence community, media, general public, legislators, and the president have consistently examined and discussed the operation since June of 2016. In January of 2017, the DNI (Director of National Intelligence) released an unclassified report assessing Russian activities and intentions in the 2016 election process. The report is a compilation of intelligence provided by the FBI, CIA, and NSA and is an analytical

18 assessment of the motivation and scope of Russia’s intentions regarding the elections as well as its use of cyber operations to influence US public opinion (United States, Office of the Director of National Intelligence and National Intelligence Council i). The US intelligence community agreed that Russia’s influence in the 2016 election was the most recent expression of a long desire to undermine the US-led liberal democratic order. The operation was unique in that there was a significant escalation in directness, level of activity, and scope of effort. With a high level of confidence, the DNI assessed that Vladimir Putin ordered an influence campaign, the goals of which were to undermine faith in the US democratic process, denigrate Hillary Clinton, harm her electability and potential presidency, and support President Trump. The influence campaign utilized a collection of operations, including cyber, state-funded media, and “trolls” (paid social media users) (United, Office of the Director of National and National Intelligence ii).

Russian cyber operations included data disclosure obtained through espionage operations, targeting US primary campaigns, think tanks, and lobbying groups. The most intrusive cyber espionage operation was hacking the Democratic National Committee (DNC) networks, which took place from July of 2015 until June of 2016. The DNI determined with high confidence that the Russian GRU began cyber operations aimed at the election in March of 2016, and that the operations compromised personal email accounts of Democratic Party officials and political figures, gaining large volumes of data. The GRU then utilized the Guccifer 2.0 persona,

DCleaks.com, and WikiLeaks to publicly release victim data (United, Office of the Director of

National and National Intelligence 3). An Internet Research Agency of professional trolls operated out of St. Petersburg to flood social media outlets with disparaging information about

Hillary Clinton and spread Kremlin messaging to Russian and international audiences.

The effects of the operation are difficult to ascertain, but Russian intelligence services see it as a qualified success due to its ability to influence public discussion. The degree of public discussion leads Russia to believe that it can accomplish or influence policy goals relatively easily without significant damage to its interests (United States, Office of the Director of

National Intelligence and National Intelligence Council 5). While the direct effects on the 2016 presidential election have not been, and may never be determined, the effects may not be as important to US policymakers as its applicability to other tenets of international law, such as sovereignty, self-defense, and countermeasures.

In late December of 2016, President Obama implemented measures in response to

Russian influence operations. The measures included sanctions on two Russian intelligence agencies, the FSB (Федеральная служба безопасности, Federal Security Service) and GRU, three companies believed to have supported the cyber operations, and four Russian cyber officials. Thirty-five additional Russian operatives were ordered to leave the United States and two Russian-owned residences in Maryland and Long Island were shut down (Ryan, Nakashima and DeYoung). Congress acted to solidify the sanctions and provide for their expansion under

President Trump’s tenure due to President-elect Trump’s posture on the matter. The executive order was signed by President Obama and then President-elect Trump publicly called the allegations about the Russian operation a hoax.

In August of 2017, the US Senate overwhelmingly passed the Countering America’s

Adversaries Through Sanctions Act (CAATSA). The legislation codified sanctions imposed by

President Obama under executive authority into law. CAATSA also blocks the current president from lifting them without congressional approval. The Act also authorized the President to

20 impose new sanctions in response to cyber intrusions, extended restrictions on Russian energy firms, and added sectors of the Russian economy. Most important for US cyber defense was the addition of mandated sanctions against those helping Russia undermine the cybersecurity of any democratic institutions (Blackwill and Gordon). With the increased permissions to impose sanctions, President Trump was reluctant to impose them. In January of 2018, the State

Department and Treasury Department issued twin announcements scorned by both the Kremlin and Russia hardliners. The State Department announced it would not be imposing additional sanctions called for under CAATSA.

As part of the announcement, the Treasury Department issued a new and expanded list of

210 senior Russian political figures as well as all oligarchs in the Russian Federation with a net worth of $1 billion or more (Clinch). The report is not a sanctions list, but clearly places a target on the listed individuals for future sanctions. The effects of the recent announcements are yet to be seen, but statements from President Putin suggest he is infuriated with the report and analysts expect trepidation on the part of international investors when dealing with the named oligarchs.

If the named individuals feel that their association with Putin jeopardizes economic interests, they may attempt to distance themselves from a possibly toxic relationship.

Shortly after the State Department and Treasury Department announcements, on

February 16, 2018 the Department of Justice indicted thirteen Russian individuals and three

Russian companies for a scheme to interfere in the United States’ political system (Department of Justice). After hesitation by President Trump and the State Department to impose additional sanctions called for under CAATSA, the administration announced on March 15, 2018 that it is imposing sanctions on all individuals and organizations named in the Department of Justice

21 report. The additional sanctions were overshadowed with what may be the most alarming development in state cyber operations to date.

As this research entered its final stages of editing, the Department of Homeland Security

(DHS) and FBI released an alert on March 15, 2018, which highlighted the ever changing and intensifying operational environment. The alert stated, “since at least March 2016, Russian government cyber actors…targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors” (US-CERT). The actors targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance and collected information pertaining to ICSs. The operation closely resembles actions taken against Ukrainian regional power distribution stations in December of 2015 and

2016 and is a clear escalation of Russian cyber operations targeting the US.

Through Russia’s cyber operations in Estonia, Georgia, Ukraine, and the United States over the previous decade, Western legal scholars and policymakers are struggling to understand and establish international norms surrounding this new domain. Governments of victim countries and collective security organizations have floundered in developing a response to cyber operations that is congruent with their understanding of international law. The next section illuminates that Russia is not a lone cyber menace and countries must not only seek international legal understanding in their responses to operations, but also in utilizing operations when unprovoked.

United States’ Utilization of Cyber Operations

Iran

Cyber operation attribution to the United States reaches back to 2010 and the country is arguably the farthest reaching, most intrusive, and most accomplished of all cyber actors. In the past eight years, the US has been involved in cyber espionage, sabotage, data destruction, and denial of service across the globe. The main US targets include Iran, North Korea, Russia, and

China. This paper asserts that the United States’ utilization of cyberspace to further national interests matches or exceeds that of the Russian Federation. The following operations have been attributed to the United States and illuminate its cyber capabilities and capacity. Through these operations and international response, significant issues have arisen with regard to the application of international law to cyberspace and cyber operations.

In June of 2010, Iran’s Atomic Energy Organization announced that it was experiencing attacks from a sophisticated computer worm that infected industrial plants throughout Iran. The worm, identified as “Stuxnet” was created to specifically target Siemens PLCs (Programmable

Logic Controllers) that control oil pipelines, electric utilities, nuclear facilities, and other industrial sites (D. Sanger). The target of the attacks was a uranium enrichment facility in the city of Natanz. Stuxnet was designed to manipulate the centrifuges utilized to enrich uranium through the Siemens PLCs (De Falco 25). The centrifuges were sped up and slowed down by the virus, causing damage to them in some instances or suspicion of damage in others. Between

2009 and 2010, Iran removed and replaced nearly 1000 centrifuges at the Natanz facility. Prior to discovering the worm, faulty engineering, faculty, and parts were suspected of causing the issue.

The Iranians and outside researchers suspected various nation-state actors of executing the operation, including Russia, China, the US, and Germany. However, in June of 2012, New

York Times writer David Sanger broke a story that changed the perception of cyber operations.

The US in conjunction with Israel executed a clandestine cyber sabotage operation codenamed

“Operation Olympic Games” in order to delay the progress of Iran’s nuclear program (D. E.

Sanger). GEN. James Cartwright made attribution inescapable for the United States after he leaked the details of Operation Olympic Games to Sanger (Groll).

The virus proved effective at the tactical level, but analysts are divided on the strategic impact of the operation. Some researchers believe that Operation Olympic Games stifled the

Iranian nuclear program for 2 years, noting that the operation was even better than a kinetic military strike on the facility. Others believe that the operation had limited impact on the nuclear program as the facility was still able to produce enriched uranium at constant levels (De Falco

23). Possibly the operation’s greatest effect was its impact on the JCPOA (Join Comprehensive

Plan of Action), or the “Iran Deal” as it is more commonly known. The material effects of

Operation Olympic Games, combined with economic sanctions, an oil embargo, threats of military force, and political isolation drew Iran to the negotiating table (Mehta and Whitlark).

Operation Olympic Games was the first cyber operation to move beyond data destruction or theft. It marked the dawn of an era where cyber operations could actually cause damage to equipment or infrastructure. For the international legal community, the operation opened further exploration of the violation of territorial integrity, what meets the threshold of use of force according to the law of armed conflict, and what legal rights the victim state has with respect to self-defense.

North Korea

As part of a larger directive signed by President Trump early in his presidency to pressure

North Korea into curtailing nuclear testing, US Cyber Command executed a DDoS operation against North Korea’s military spy agency, the Reconnaissance General Bureau. The operation was temporary and did not cause data destruction, but did interfere with the intelligence agency’s activities (DeYoung, Nakashima and Rauhala). The DDoS attack signaled to the international community that the US is willing to utilize all forms of national power, including military action in the form of offensive cyber operations.

President Trump has also inherited a covert program to sabotage North Korea’s nuclear missile program. Since the program was started in 2014, 88% of North Korea’s launches have resulted in self-destruction. This may not be a direct causal relationship between the cyber sabotage operation and missile failure, but there is clearly a correlation. The missile failures may also be due to standard trial and error techniques, much like the US encountered during its missile development. However, the mere frequency of the failed test flights when compared to other countries’ programs hints at some level of sabotage (Sanger and Broad).

Espionage

While Operation Olympic Games and efforts to impede the Iranian missile program are the clearest example of US cyber operations due to their positive attribution and scope, the US has allegedly carried out numerous and far reaching cyber espionage operations across the globe.

Leaked documents from Edward Snowden in conjunction with independent analysis have named

25 the threat actor “Equation Group” as being a cyber operations unit assigned to the NSA and other

“Five Eyes” intelligence agencies (Segal "Tracking State-Sponsored Cyber Operations").

Viewed as one of the most advanced and capable threat actors operating in cyberspace,

Equation Group is associated with such high-profile espionage tools as Flame, Stuxnet, Regin,

Gauss, and Duqu. Since 2001, The operations infected systems in 42 countries, including Russia,

Iran, Pakistan, India, and China among others (Segal "Tracking State-Sponsored Cyber

Operations"). Equation Group’s attribution to the United States in 2015 came years after the US had been consistently accusing China and Russia of economic, personal, and institutional espionage. Even though attribution is not an absolute certainty, it caused tensions between the three countries. After years of diplomatic criticism, the United States was forced to stand on equal footing as a “cyber spy” with China and Russia. The United States’ tenure as a covert cyber spy had come to an end.

Cyber espionage has raised significant issues for the international law community and strategists. There is no international treaty that governs cyber espionage. There is also no international treaty regulating traditional espionage that can be adapted to cyber espionage

(Osula, Rõigas and NATO CCDCOE 68). Chapter 3 will explore how cyber espionage is situated within the current treaty system.

Chapter 3: Cyber Operations and International Law

The cyber operations detailed in Chapter 2 vary greatly in scale and scope. The victim states responded to the operations with varying types and levels of countermeasures. Because nation-state use of cyber operations is increasing in frequency year on year, the need for an international law framework is growing. Chapter 3 explores the application of existing international law to cyber operations with the specific focus on pre-war conditions. This research does not focus on cyber operations as they relate to the law of armed conflict. A nation’s understanding of this application applies directly to its use of cyber operations and can shed significant light on an adversary’s possible actions. Agreement between Moscow and the West on the threshold of cyber-attacks below the level of armed conflict may be difficult. Russia and the West have quite different views on what is a retaliation-worthy attack (Segal The Hacked

World Order : How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age 105). In

1996, the US and Russia secretly met in Moscow to discuss a possible international treaty framework, specifically relating to cyberspace, but no agreement was reached.

This chapter outlines the current Western approach to applying cyber operations to international law. Russian incongruences will be specifically highlighted in the next section. US diplomats have traditionally vehemently opposed specific international treaties relating to cyberspace as it views itself as having more to lose than gain from such agreements. To date, the

US appears more eager to formalize agreements on criminalizing acts such as fraud, pornography, illegal access to data, intellectual property theft, and system interference as opposed to those relating to state specific operations (Segal The Hacked World Order : How

Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age 117). 27

Western Approaches

At issue are the fundamental differences in the culture of cyberspace between the West and Russia. The West views cyberspace as a domain where prosperity and security increasingly depend on an open, interoperable, secure, and reliable medium for free and open expression. The

US in particular views itself as having a special responsibility to lead a networked world due to its creation of the internet (United States and President). The US would be particularly resistant to drafting international agreements that make it easier for authoritarian regimes to censor the internet. Thus, the West is more apt to apply cyberspace and state cyber operations to the existing international law framework.

Following the 2007 Estonia attack, 2008 Georgia invasion, and 2012 Stuxnet revelation,

Western countries became increasingly concerned about cyberspace’s impact on public safety as well as national and economic security. As a result, international experts began to question how existing law applies to cyber issues. The NATO CCD COE completed a comprehensive study to address the matter. The Center assembled a group of nearly 50 international law experts with the goal of producing a non-binding document applying existing international law to cyberspace. In

2013, the “International Group of Experts” (IGE) published the Tallinn Manual on the

International Law Applicable to Cyber Warfare, more commonly known as the Tallinn Manual.

A new International Group of Experts published the second edition of the project in 2017, referred to as the Tallinn Manual 2.0. The publications address many of the international law issues raised out of the aforementioned Russian and US cyber operations, to include sovereignty, jurisdiction, legal responsibility of states, countermeasures, the use and threat of force, self-

28 defense, and proportionality. The Tallinn Manual among other sources, provides a clear view of the Western approach to state cyber operations and international law.

Sovereignty

The concept of sovereignty as it relates to cyberspace is currently a contentious issue.

Some suggest that cyberspace should be categorized much like the high seas, outer space, or international airspace where no physicality or territoriality dimension exists. Western scholars do agree that while no state may claim sovereignty over cyberspace as a domain, certain physical attributes may enjoy state sovereignty. The IGE suggests that “a state enjoys sovereign authority with regard to the cyber infrastructure, persons, and cyber activities located within its territory, subject to international legal obligations” (Schmitt 13). Accepting this understanding of internal sovereignty, one can conclude that a state may enforce domestic laws over such infrastructure and activities as well as protect cyber infrastructure and safeguard cyber activity under international law. This applies to both private and public infrastructure. A state additionally has the authority to independently decide on its political, social, cultural, economic, and legal order with a prohibition of unlawful intervention into a state’s domaine réservé (Schmitt 15). Russian cyber operations with the goal of influencing the 2016 US elections are an example of such unlawful intervention, which violates the sovereignty of another state.

Western law experts are divided on how acts of espionage apply to the violation of state sovereignty. Some suggest that acts of espionage against a state are a violation of that state’s sovereignty. However, due to the widespread and historical use of espionage, some propose that cyber espionage absent any damage to cyber infrastructure or data is acceptable (Schmitt 19).

The violation of state sovereignty is measured by three indicators: 1) Physical damage; 2)

Loss of functionality; and 3) Infringement on territoriality below the level of loss of functionality. If a cyber operation causes damage to infrastructure of persons, it is determined to be a violation of state sovereignty. A clear example would be Operation Olympic Games described in Chapter 2 where Stuxnet caused physical damage to Iranian centrifuges. With respect to loss of functionality, any need to repair or replace affected equipment is proof of a violation of sovereignty. Finally, Western legal scholars are divided on infringement falling below physical damage or loss of functionality. Unfortunately, experts are most divided in the area where the majority of state cyber operations take place. These operations include significant

DDoS attacks, malware that deletes or alters data, or the installation of backdoors for later exploitation (Schmitt 21). As a currently unresolved question in international law, states can exploit this ambiguity as it relates to sovereignty.

Due Diligence

Drawing from the International Court of Justice (ICJ) Judgment in the Corfu Channel

Case, Western legal scholars suggest that a state must utilize due diligence in not allowing cyber infrastructure under government control to be utilized for the purposes of affecting the rights of other states and producing adverse consequences (Schmitt 31). The experts specifically apply cyber weapons to the principle through analysis of paragraph 39 of the ICJ’s Legality of the

Threat or Use of Nuclear Weapons advisory opinion. The principle of due diligence only applies when a country knowingly permits another state to utilize its infrastructure. In the current cyber environment, this is very difficult to prove. For example, Russia utilized botnets located in various countries in order to influence the 2016 US election. Even if the countries knowingly

30 allowed this to occur, it is nearly impossible to prove that permission was granted by the government of that state. Additionally, if a state deploys botnets in various countries as part of a larger cyber operation, each country’s act may violate the rights of the victim state, but individually may not produce adverse consequences (Schmitt 38).

The NATO CCD COE also put forth that states must take all feasible measures that a reasonably acting state in a similar circumstance would employ in order to prevent cyber operations that violate the rights of another state and cause serious adverse consequences

(Schmitt 47). Of course, there are limitations to the abilities of certain states to act. The capabilities of the United States to identify and prevent malicious cyber operations would far exceed the capabilities of Moldova for instance.

Jurisdiction

Western scholars are generally in agreement that states maintain three types of jurisdiction over cyber activities and the individuals who engage in them. These include prescriptive, enforcement, and judicial jurisdiction. (Schmitt 52). The notion of jurisdiction can become very confusing and difficult to establish with respect to cyber operations. To illustrate, a national from State A conducts a cyber operation from the territory of State B, against the infrastructure of State C, through the infrastructure of State D. In this example, multiple states could claim jurisdiction based on the operator’s nationality, the territory of the victim state, or the territory of the host or transit state.

A state enjoys territorial jurisdiction over cyber infrastructure or cyber operators within its territory and cyber activities originating from its territory. In congruence with the

31 understanding of state sovereignty applied to cyber operations, enforcement jurisdiction applies only to cyber infrastructure, cyber activities, and persons who engage in such activities unless there exists a specific authority under international law or a foreign government provides consent to exercise jurisdiction (Schmitt 66). Due to the lack of specific cyber related international treaties providing jurisdiction to a higher judicial body, there is little chance that a nation-state will consent to extraterritorial enforcement jurisdiction.

On February 16, 2018, the United States made an historical step in shaping cyberspace norms. Even though the US does not have extraterritorial enforcement jurisdiction, special counsel Robert Mueller announced that a Department of Justice grand jury indicted thirteen

Russian individuals and three Russian companies for a scheme to interfere in the United States’ political system (Department of Justice). The Department of Justice previously indicted Chinese nationals in 2014 and 2017 for economic espionage, but this was the first indictment of foreign nationals or companies related to a cyber operation other than espionage. The difficulty attributing specific cyber operations to a nation-state is one of the broader issues outside of international law. The Justice Department indictment of the Russian individuals and companies shows US resolve to seek attribution for cyber operations, even in an environment where extraterritorial enforcement jurisdiction is realistically absent.

Internationally Wrongful Cyber Acts

Much of the Western view of state responsibility flows from the International Law

Commission’s Articles of State Responsibility, which were subsequently commended by the UN

General Assembly to governments in 2001 (Schmitt 79). Adapted from the Articles, scholars

32 suggest that states bear responsibility for cyber acts that are both attributable to the state and violate an international legal obligation, such as a bilateral or multilateral treaty. The delineation of cyber operations into tiers of violation becomes vitally important when exploring the right of self-defense, countermeasures, collective security, and the law of armed conflict. Internationally wrongful cyber acts may lie on a spectrum of operations, falling either above or below the use of force threshold as defined by Article 2(4) of the UN Charter (Harrison Dinniss 74).

Attribution

Attribution may be one of the most contentious issues within the study of state cyber operations. Attaining domestic indictments for foreign nationals may be a political victory, but actually proving allegations of internationally wrongful acts are quite difficult given the fluid nature of cyberspace. The ability to feign operations, utilize trolls and bots, and outsource state operations to private companies presents significant obstacles for proving attribution on the international stage. Conventional weapons differ greatly from cyber weapons in that they are easily traceable when fired. Bombers, missiles and ships can be tracked, soldiers can be identified or captured, and there is generally physical proximity to the target. Cyber weapons do not require physical proximity to the target, there is no intrinsic attribution data (i.e. uniforms or markings), persistent traces can be erased, they are easily concealable, and can have delayed effects for a number of years (Green 62).

Attribution in the physical sense must be delineated from attribution with respect to international law. While there is much debate on the threshold of proof for determining attribution, Western scholars are united in the fact that cyber operations conducted by a state, or

33 by persons empowered by that state to exercise elements of governmental authority are attributable to the state (Schmitt 87). Critically important is the Western agreement that non-state actor actions can be attributed to a state if the actor engages in cyber operations pursuant to its instructions or under its direction or control. Russia is currently utilizing strategies to distance official state organs from attribution by directing non-state actors to operate on its behalf, as evidenced in the 2008 Georgia invasion and the 2016 US election influencing campaign. Troll farms acting under the instruction of the Russian government during the operations are attributable to the state.

Countermeasures

Drawing on the ICJ’s decisions in Nicaragua v. US and Hungary v. Slovakia as well as the 1928 Portugal v. Germany arbitral award, Western scholars reason that a state is entitled to take countermeasures, cyber or other, in response to an internationally wrongful act by another state (Schmitt 111). Appropriate countermeasures are those taken in order to return to lawful relations between states and may not be retaliatory or punitive in nature. Countermeasures are permissible under international law as a temporary measure for the purpose of preventing the continued breach of obligations underlying the measures (Schmitt 117). As an example, the cyber-attacks against Estonia in 2007 persisted for nearly a month. Applying this understanding of countermeasures to the attacks, Estonia was permitted to apply countermeasures throughout the operation in order to prevent the repetition or continuance of the attack. This could include

Estonia’s own use of DDoS operation against the aggressor state to make it desist from further violations.

The ICJ’s decision in Hungary v. Slovakia created a three-part test for countermeasures.

First, they must be in response to an internationally wrongful act. Second, the victim state must have requested that the offending state desist from conducting the wrongful act. Finally, the countermeasure must be proportional to the injury to which they respond (Harrison Dinniss 107).

Proportional countermeasures differ from proportionality related to jus ad bellum, or the force required for a state to defend itself against an armed attack. This will be discussed in a following section. Proportional countermeasures need not be taken in the same nature as the internationally wrongful act taken by the offending state. Utilizing the Estonian DDoS attacks as an example, the country does not have to respond with DDoS countermeasures. It may, for instance, restrict the passage of Russian vessels through its territorial sea until the cyber operations cease (Schmitt

129).

Western legal scholars are divided on whether a non-injured state may take countermeasures on behalf of an injured state or assist the injured state in conducting countermeasures. The preponderance of scholars draw from Nicaragua v. US that countermeasures taken on behalf of an injured state by a non-injured state are unlawful (Schmitt

130). This understanding has significant impacts for actions taken by NATO in the event one state is the victim of cyber operations, but the organization wishes to assist that state in taking countermeasures. While this does not apply to collective defensive measures discussed later, the organization would not be permitted to enact countermeasures on behalf of an injured member state where the internationally wrongful act fell below the use of armed force.

Espionage

As mentioned in Chapter 2, cyber espionage has raised significant issues for the international law community and strategists. There is no international treaty that governs cyber espionage. There is also no international treaty regulating traditional espionage that can be adapted to cyber espionage (Osula, Rõigas and NATO CCDCOE 68). Most experts agree that customary international law does not prohibit the use of espionage during peacetime. After the far-reaching NSA surveillance operations were leaked by Edward Snowden, there is some indication that the international community has been moved by the effects of such widespread cyber espionage. The international community is not growing to detest the act of cyber espionage itself, but rather the utilization of data gained through espionage. Additionally, the intrusive nature of cyber espionage into infrastructure may violate international law through the principle of sovereignty. Even in cases of extraterritorial access to a state’s cyber infrastructure, legal scholars are divided on whether to classify the event as a breach of international law.

While a standalone cyber espionage operation may not be viewed as a violation of international law, Western experts agree that cyber espionage as part of a greater operation may violate international law. Russia’s interference in the 2016 presidential election is an example of this interplay. Russian cyber operations included data disclosure obtained through espionage operations, targeting US primary campaigns, think tanks, and lobbying groups. Viewed separately, the espionage operations do not necessarily violate international law. However, data gained from cyber espionage operations was utilized to steal the identities of US citizens and post derogatory or complimentary information on social media accounts. Russian nationals posing as US citizens created false US personas and coordinated with unwitting individuals

36 associated with the Trump campaign to organize rallies and disseminate information. As part of a broader campaign, these acts and others may amount to a violation of US sovereignty through

“illegal usurpation of a government function” (Ohlin).

International Human Rights Law

Western scholars generally apply international human rights customary and treaty law to cyber-related activities. Freedom of expression is drawn from Article 19 of the Universal

Declaration of Human Rights (UDHR) and Article 19(2) of the International Covenant on Civil and Political Rights (ICCPR) (Schmitt 182). While freedom of expression is the most easily identifiable human right associated with cyberspace, individuals enjoy all human rights otherwise protected under international law. UDHR, Article 1 protects the right of individuals to hold an opinion without interference. With respect to privacy rights, the IGE determined that the right to privacy relates to confidentiality of communication. Individuals have the right to send correspondence through cyberspace with the expectation that it arrives without interception or being read by an unintended party (Schmitt 189).

Domestic application of the rights listed above is universally accepted by Western scholars. However, extraterritorial application of international human rights law is currently divided. Article 2(1) of the ICCPR states, “Each State Party to the present Covenant undertakes to respect and to ensure to all individuals within its territory and subject to its jurisdiction the rights recognized in the present Covenant, without distinction of any kind, such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status.” Some Western scholars view the article as being two separate obligations. States

37 must “ensure” the rights of those located on its territory and it must “respect” the rights of those not located on its territory (Ohlin 1586). Applying this understanding to the NSA Equation

Group operation, the US violated international law by not “respecting” the right to privacy of extraterritorial individuals.

The US took the official position in 1995 that the ICCPR does not maintain an extraterritorial application. The US Department of State legal advisor challenged this position in

2010, but the Obama administration kept the previously stated legal policy. As state cyber operations continue to increase in size, scope, and frequency, a cost-benefit analysis may show that extraterritorial application of the ICCPR would prove strategically beneficial for the US. The

US clearly has much to lose by accepting an extraterritorial application of the ICCPR. The country has proven to be a massive collector of private information internationally. However, the strategic gain must be weighed against the growing concern of other states’ capacity to violate human rights on the territory of the United States.

Applied in the domestic context, the United States and many other Western countries are beginning to debate the balance between ensuring and protecting human rights versus ensuring and protecting public safety. Social media platforms are becoming the preferred cyber weapon conduits for state and non-state operations. The Department of Justice specifically named

Facebook in its indictment of individuals and companies related to the 2016 election influence operation, ISIS systemically utilizes Twitter for recruitment and handling, and China routinely intercepts email communications among US companies in order to gain economic leverage.

Freedom of expression is a cornerstone of any well-functioning democracy and the United States has gone to great lengths to protect civil and political rights through cyberspace, both

38 domestically and internationally. However, a critical balance must be struck between the US government interests, private industry, media platforms, and cherished civil and political rights of a well-functioning democracy.

Use of Force

At the heart of the research on the applicability of international law to state cyber operations is the concept of “use of force.” Cyber operations differ greatly from conventional military operations as previously described, and the current international framework for the prohibition on the use of force was written to address conventional force. Article 2(4) of the UN

Charter states, “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations” (United Nations "Charter of the

United Nations"). Western experts agree that the UN Charter’s prohibition on the use of force strictly applies to state cyber operations. Two exceptions are uses of force authorized by the UN

Security Council and those authorized as self-defense under international law (Harrison Dinniss

75). The threshold of the use of force as it applies to specific operations is a matter for continued debate, which has significant implications for state cyber strategies.

Western scholars generally classify cyber operations as a use of armed force if the attack directly or indirectly results in damage to physical property or causes injury or loss of life

(Harrison Dinniss 74). In instances where the operation does not clearly cause physical damage, injury, or loss of life, the IGE provides eight criteria to determine if a cyber operation has reached the threshold of “use of force.” These criteria include severity, immediacy, directness,

39 invasiveness, measurability of effects, military character, state involvement, and presumptive legality (Schmitt 334-36). The elements must be taken as a collection of circumstances for a state to make a determination on use of force.

Most cyber operations fall below the use of force threshold. However, Operation

Olympic Games is clearly determined to meet the use of force threshold. The US operation continuously caused physical damage to Iran’s infrastructure over a period of years. This is a clear violation of UN Charter, Article 2(4). However, in order for Iran to maintain the legal right to self-defense, the operation would have to classify as an “armed attack”

Armed Attack and Self-defense

Article 51 of the UN Charter states, “Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations…”(United Nations "Charter of the United Nations"). Most Western scholars are in agreement that in order for a state to be authorized under international law to take individual or collective self-defense measures against a cyber operation, the operation must amount to an “armed attack.” An armed attack has at a minimum reached and exceeded the threshold for the use of force. Only an operation that reaches the level of an armed attack entitles the victim state to respond using force in self-defense. In order to reach the level of an armed attack, the operation need not utilize weapons per se, but must reach such “scale and effects” that they can be distinguished from other less grave forms of force (Schmitt 341). The concept of scale and effects is taken from Nicaragua v. United States and distinguished armed attacks from

40 the use of force, and the use of force from unlawful intervention. Figure 2 shows the narrowing of scope among the three levels of intrusion.

Armed Attack

Use of Force

Unlawful Intervention

Figure 2: Levels of Cyber Operations Source: Green, James A. Cyber Warfare : A Multidisciplinary Analysis. 2016. Print.

Operation Olympic Games is the only cyber operation that has been established as a use of force and debated as a possible armed attack. Due to the extensive damage Stuxnet caused to

Iranian infrastructure, some experts view the event as an armed attack. However, other experts do not view the actual effects of the operation as being sufficiently damaging to qualify as an armed attack (Harrison Dinniss 82). While there is no definitive answer on where the most

41 invasive cyber operation in history lies in international law, the fact that it is the subject of recent debate signifies the growing intensity of state cyber operations.

In the event a cyber operation is classified as an armed attack, the victim state is entitled under Article 51 of the UN Charter to take self-defense cyber measures. The use of force must be necessary and proportionate. The use of cyber operations in self-defense can also be utilized in response to attacks in other domains. For instance, a state may utilize cyber operations in response to a kinetic air attack. A state may also utilize force if a cyber attack is imminent, but has not occurred. The US takes the position that it retains the right to take anticipatory self defensive measures in response to imminent attacks and the 2015 DoD Cyber Defense Strategy echoes this position (Robert Kehler, Lin and Sulmeyer).

In addition to individual and anticipatory self-defense, Article 51 of the UN Charter explicitly authorizes collective self-defense in response to an armed cyber attack if the victim state requests such assistance. Estonia contemplated invoking Article 5 of the NATO Treaty, which would trigger a collective self-defense response to the DDoS attacks in 2007. The 2007 operation was one of the first of its kind and the legal field surrounding state cyber operations was not robust. NATO was not prepared to consider the DDoS operation an armed attack (Green

18). The alliance has changed its position significantly in the previous decade in light of important legal research on the subject. In May of 2017, NATO officials stated that the alliance would not rule out invoking Article 5 of the charter if a member country experienced a serious attack that threatened critical military and civilian structure, adding “NATO would take a very different and offensive posture if a cyberattack event on the scale of that launched against

Estonia in 2007 were to happen now” (O'Dwyer).

Collective Security

One final aspect of international law relating to state cyber operations is the notion of collective security, specifically in relation to the UN Security Council. Western scholars suggest that the UN Security Council may authorize non-forceful measures in response to a cyber operation that constitutes a threat to the peace, breach of the peace, or act of aggression (Schmitt

357). The IGE draws this determination from Article 39 of the UN Charter which states, “The

Security Council shall determine the existence of any threat to the peace, breach of the peace, or act of aggression and shall make recommendations, or decide what measures shall be taken in accordance with Articles 41 and 42, to maintain or restore international peace and security”

(United Nations "Charter of the United Nations").

Article 41 permits the use of measures that do not reach the use of force threshold, including “complete or partial interruption of economic relations and of rail, sea, air, postal, telegraphic, radio, and other means of communication, and the severance of diplomatic relations”

(United Nations "Charter of the United Nations"). If Article 41 measures are not sufficient or are inadequate, the Security Council may authorize use of force measures by “air, sea, or land forces as may be necessary to maintain or restore international peace and security” (United Nations

"Charter of the United Nations").

The likelihood of the Security Council making this determination and authorizing such measures is miniscule for two reasons. First, in the previous decade, the UN Security Council has not considered cyber operations of any type to be a threat to the peace, a breach of peace, or an act of aggression. Secretary General Ban Ki-Moon implored the Security Council at its 6277th meeting in 2010 to consider cybercrimes an emerging threat to international peace. The Security

Coucil made no response to the request and cyber operations have not been mentioned in

Council meetings related to Article 39 since that date (United Nations "Repertoire of the Practice of the Security Council"). Secondly, three of the most pervasive state cyber actors are permanent members of the Security Council with veto power. China, Russia, and the United States are unlikely to put forth any resolutions that limits their ability to maneuver in cyberspace. As they use cyber operations that become closer and closer to the threshold of the use of force or an armed attack, they will be less likely to specifically name state cyber operations a threat to the peace or an act of aggression.

Russian Approaches

In order to develop effective cyber strategies, the US and NATO must understand how the Russian approaches to international law and cyber operations compare and contrast to the

Western approaches. There are many areas where Russia is in agreement with the Western view, most importantly that an operation must cause physical damage or injury in order to be classified as an armed attack. This research will focus on the main ways in which Russian scholars and policymakers differ from the Euro-Atlantic/Western view in their understanding of how international law applies to cyber operations. Russian culture, national history, worldview, and current events all affect how international law is applied to cyberspace and they will be explored in this chapter.

Russia - including the former Soviet Union for purposes of this research - has been a consistent contributor to the international legal framework from the Peace of Westphalia in 1648 throughout the late-modern and contemporary eras. Two competing ideological schools of

44 thought dominated Russian discourse throughout the 1800s until the Bolshevik revolution: the

Westernizing and the Pan-Slavist/Eurasian school. (Mälksoo Russian Approaches to

International Law 39). A historical vacillation between European integration and isolation led to a contemporary Russia that focuses on moralistic or normative language as opposed to legal articles stricto sensu. Russia’s historically hostile relationship with the West, its tendency for authoritarian governmental structure, weakness of domestic rule of law, and its desire to maintain territorial integrity all influence contemporary Russia’s approach to how cyber operations are situated within international law (Mälksoo Russian Approaches to International

Law 3).

Russian scholars and policymakers generally exploit the formal process of the UN and thrive in its bureaucracy. The UN process bridges the gap between Russia’s perceived great power status and its actual place among other economies, militaries, and civil societies across the globe. Russia holds its status as a permanent member of the UN dear, because it secures collective decision-making based on equality. Russia’s consistent post-Cold War decline is not reflected in its ability to continue to influence global governance on the UN stage (Lo 73).

Russia’s UN P5 status serves as a counterweight to the West, specifically to US hegemony.

Russian policymakers and scholars utilize the UN along with other multi-lateral groups and organizations such as BRICS (Brazil, Russia, India, China, and South Africa), the SCO

(Shanghai Cooperation Organization), and CSTO (Collective Security Treaty Organization) to provide alternative views on global governance of state cyber operations. The country’s seat in the Security Council is critical to influencing any future security issues involving cyber

45 operations. Like the West (specifically the US), Russia has a direct conduit through which to inject its approach to international law and cyberspace.

Russian scholars and policymakers differ from Western legal scholars in four aspects: 1)

Russian scholars differ in their understanding of the relationship between state sovereignty and cyberspace, 2) Russian experts generally do not view the current international framework as a sufficient guiding body for establishing legal norms in cyberspace, 3) Russia’s concept of self- defense in cyberspace changes with the strategic environment, and 4) Russian scholars emphasize “information security” where Western scholars focus on “cyber security.” These four critical dissimilarities will be explored in the following subsections.

Sovereignty

Russian scholars definitively place state sovereignty as the cornerstone of international law. This is often given an illiberal, absolute sense of state sovereignty, which differs from the

Western notion of sovereignty. The leading post-Soviet theoretician of international law,

Stanislav Valentinovich Chernichenko suggests that “the people of the Russian Federation cannot logically be the bearer of sovereignty; the bearer of sovereignty can only be the Russian

Federation itself” (Mälksoo Russian Approaches to International Law 100). Valery Zorkin, the

Chairman of the Constitutional Court of the Russian Federation offers that state sovereignty and territorial integrity is currently under attack by human rights and the right of self-determination.

Professor Alexei Alexandrovich Moiseev of the Diplomatic Academy of the Russian MFA suggests that sovereignty is absolute, indivisible, and cannot be limited in any way (Mälksoo

Russian Approaches to International Law 101).

Russia’s intense concern about foreign intervention in domestic affairs intensifies this divergence from the Western school of thought regarding sovereignty. Russian policymakers suggest that political instability in the Middle East and North Africa are due in part to Western violation of sovereignty in the form of information pressure. These concerns only increased following the 2011 Russian parliamentary elections. Protests broke out across Russia at levels not seen since the 1990s and concern over Western efforts to influence regime change through information campaigns intensified. President Medvedev stated, “Look at the situation that has unfolded in the Middle East and the Arab world. It is extremely bad. There are major difficulties ahead...We need to look the truth in the eyes. This is the kind of scenario that they were preparing for us, and now they will be trying even harder to bring it about” (Giles and

International Conference on Cyber Conflict 71).

The divergence in the understanding between the West and Russia on state sovereignty is a significant factor limiting agreement on norms of state cyber operations. Russia’s objection to the Budapest Convention illuminates this point. As noted previously, Western scholars suggest that a state enjoys sovereign authority with regard to the cyber infrastructure, persons, and cyber activities located within its territory, subject to international legal obligations. However, Russian legal experts maintain that information held within the infrastructure is also encompassed by state sovereignty. Russia is not alone, as the majority of CSTO and BRICS countries share this view. Russian experts’ views on cyber espionage stem from their general consensus on sovereignty. Article 32 of the Budapest Convention permits trans-border access to publicly available stored computer data, regardless of where the data is located geographically and without the consent of another party (Council of Europe Convention on Cybercrime, Budapest,

23 November 2001). Russian experts vehemently oppose Article 32 as a violation of sovereignty through state espionage.

Current International Legal Framework Versus New Treaty System

The fundamental dividing line between Western and Russian scholars is whether to apply existing international law to cyber operations or create new multi-lateral treaties that pertain specifically to cyberspace. One can easily surmise from Chapter 2 that Western scholars are in general agreement that applying the existing international legal framework to cyber operations is the preferred method of establishing appropriate behavior in cyberspace. However, Russian policymakers and scholars believe that creating stricter rules of responsible state behavior in cyberspace through new multi-lateral treaties is the best way ahead.

Russia was the first country to bring cyber operations to the attention of the UN General

Assembly. The country’s interest in establishing a new international legal framework began as early as 1998, when it introduced a draft UN resolution expressing concern that information technologies and means, “…can potentially be used for purposes that are inconsistent with the objectives of maintaining international stability and security and may adversely affect the security of States…” Russia invited member states to provide definitions of basic notions related to information security, including unauthorized interference or misuse of information systems

(United Nations General Assembly "Developments in the Field of Information and

Telecommunications in the Context of International Security"). In addition, the draft resolution served as a catalyst for developing international principles that would help enhance global

48 security and combat information terrorism and criminality. The draft was adopted without a vote as UN Resolution A/RES/53/70.

Not only Western scholars, but the international community as a whole was beginning to apply existing international law to cyber operations throughout the early 2000s with one exception. In late 2001, the Convention on Cybercrime, also known as the Budapest Convention was introduced by the Council of Europe. The Convention serves as a guideline for any country developing comprehensive national legislation against cybercrime and as a framework for international cooperation. The Budapest Convention entered into force on July 1, 2004 and has been ratified by 56 Member and Non-Member States, including the United States. It is the first and only binding international instrument on the issue of cybercrime. The guiding force behind the treaty was not to specifically define acts of state cyber operations, but to provide a general domestic framework for combatting cybercrime and protecting the rights of the individual in cyberspace. The Convention is stated to exist in order to “protect you and your rights in cyberspace” (Council of Europe "Action against Cybercrime"). Three years after the adoption of

Russia’s draft UN resolution, it quickly became clear that the country would only accept an additional legal framework on its exact terms.

Today, Russia remains the only Member Country of the Council of Europe to neither sign nor ratify the Budapest Convention. The country’s objections are mainly aimed at Article 32 of the Convention, illuminating the divide between the Western and Russian understanding of sovereignty and espionage. Russian policymakers and scholars state that Article 32 permits such

“cross border access” that some countries’ special services can penetrate other countries’ networks and conduct operations without the knowledge of the state. Moscow states that this

49 provision “violates sovereignty and threatens security” (Chernenko "Belarus Chose to Make the

Internet Safer").

In 2012, the Group of Governmental Experts (GGE) consisting of representatives from

15 UN Member States met with the goal of producing a report on developments in the field of information and telecommunications in the context of international security. The GGE, which included representatives from the United States and the Russian Federation, determined unanimously that, “International law, and in particular the Charter of the United Nations, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT [Information and Communications Technologies] environment”

(United Nations General Assembly "Group of Governmental Experts on Developments in the

Field of Information and Telecommunications in the Context of International Security" 8).

Russian experts contradicted this view at the very same GGE meeting when Russia,

China, Uzbekistan, and Tajikistan introduced the Draft International Code of Conduct for

Information Security. The GGE included the draft in its report as document A/66/359 and indicated that Russia would only accept cyberspace regulation on its own terms. The document was a counterweight to the Budapest Convention and highlighted Russia’s concern that the

Convention lacked provisions to address state cyber operations and terrorist activities in cyberspace (Chernenko "Opposition of Superpowers"). The code of conduct recognized the UN

Charter and “universally recognized norms governing international relations,” but continues to separately identity issues of sovereignty, territorial integrity, human rights and fundamental freedoms, and the respect for the diversity of history, culture, and social systems of all countries

(United Nations General Assembly A/66/359 4). In September of 2011, Russia separately introduced a Draft Convention on International Information Security

The CSRC (Conflict Studies Research Centre) based in the UK and the IISI (Institute of

Information Security Issues) from Moscow State University published a parallel commentary on the draft UN Convention on International Information Security. The commentary provides a unique opportunity to compare Western and Russian views on the applicability of existing international law to state cyber operations. The comparison reveals that Russia wishes to introduce additional legal architecture in order to secure the ability of the state to control information as well as infrastructure. At the heart of the Western-Russian ideological divide is how each views the purpose of cyberspace. IISI acknowledges through its commentary on

Article 4 of the Draft Convention that, “The countries that have taken a liberal approach towards content (primarily the US) show anxiety and claim that nobody has the right to control the content as that would hinder the free flow of information on the net, lower the intensity of innovations, etc.” IISI responds to this liberal approach by suggesting, “A state, basing on its sovereignty and acting on behalf of its citizens, determines that specific content carries some negative elements and limits its spread at the legislative level.” CSRC highlights this response as a clear indication that Russia views international law as providing not only for “cyber security,” but takes it one step further by focusing on “information security” (Conflict Studies Research

Centre 4, 27).

In January of 2015, Russia in conjunction with other SCO countries introduced a revised

Draft International Code of Conduct for Information Security. Because the 2011 Code Of

Conduct, “gave rise to extensive international attention and discussion after it was distributed as

51 a document of the General Assembly,” the authors “revised the code of conduct, taking into full consideration the comments and suggestions from all parties” (United Nations General Assembly

A/69/723 1). Analysts suggest that the revised Draft contains only minor additions and modifications, and that the general nature of the document has remained the same. The updated document does not mention a global consensus on the application of existing international law to cyberspace, even though Russia expressed this in the 2013 UN GGE report (Rõigas). The draft is unlikely to gain much traction in the General Assembly due to its contradictory language with respect to human rights issues. The Code of Conduct includes a statement from the UN Human

Rights Council Internet Freedom Resolution that “the same rights people have offline must also be protected online.” However, the Draft concludes that states may restrict those rights to protect health, national security, public order, and morals (Grigsby). Russia’s continued persistence in the face of oppositional Western consensus demonstrates its resolve to shape international norms on its own terms.

Self-Defense

The most recent session of the UN GGE convened in June of 2017 and was disastrous for any level of consensus building. The GGE provided no final report to the Secretary General and did not recommend any future meetings. Because the UN GGE process is non-attributional in official correspondence, it is difficult to establish the exact points of breakdown. However, announcements from GGE participants signal the areas of disagreement on the applicability of international law to cyber operations. Even though Russia was not named explicitly in formal reports, it is widely accepted that it maintained a strong position that discussion of jus ad bellum,

52 international humanitarian law, and the law of state responsibility would be incompatible with the UN message of peaceful resolution of disputes and conflict prevention. Michele Markoff, the

US representative to the GGE, issued a statement following the breakdown of the meetings. She stated, “some participants…want to walk back progress made in previous GGE reports…those who are unwilling to affirm the applicability of these international legal rules and principles believe their States are free to act in or through cyberspace to achieve their political ends with no limits or constraints on their actions” (Markoff). The GGE was unanimous in its 2015 report that the UN Charter “…is applicable and is essential to maintaining peace and stability and promoting an open, secure, stable, accessible and peaceful ICT environment” (United Nations

General Assembly A/70/174 12). However, the specific wording of paragraph 26 in the 2015 report is essential to understanding the Russian position on how international law applies to cyber operations and the breakdown of consensus building at the 2017 GGE meeting. Paragraph

26 states:

In considering the application of international law to State use of ICTs, the Group

identified as of central importance the commitments of States to the following

principles of the Charter and other international law: sovereign equality; the

settlement of international disputes by peaceful means in such a manner that

international peace and security and justice are not endangered; refraining in their

international relations from the threat or use of force against the territorial

integrity or political independence of any State, or in any other manner

inconsistent with the purposes of the United Nations; respect for human rights and

fundamental freedoms; and non-intervention in the internal affairs of other States.

(United Nations General Assembly A/70/174 12)

The text of paragraph 26 makes no mention of self-defense or appropriate responses to state cyber operations. However, Markoff and other Western experts were eager to solidify how international law applies to states’ use of cyberspace, including law governing the exercise of self-defense, state responsibility, and countermeasures (Markoff). The GGE failed not only to address the threshold at which Article 51 applies to state cyber operations, the members could not even agree if it applied at all to cyber operations. Russia is among the states unwilling to address the issue of how Article 51 is situated within cyber operations and the fact that the GGE process may have reached a culminating point is not surprising. The fundamental differences between how Russia and the West view cyberspace were bound to be uncovered as the GGE process became more and more specific in its reporting.

Russian experts have become increasingly wary of the UN Charter’s Article 51 inherent right to self-defense, especially in light of what they view as US hegemonic behavior in the 2003

Iraq invasion. One Russian scholar suggested that the American invasion of Iraq signaled the end of modern international order and that the UN is incapable of carrying out the functions foreseen by the UN Charter (Mälksoo Russian Approaches to International Law 135). Legal scholars within Russia view Article 51 of the UN Charter, specifically the Western notion of anticipatory self-defense as a “catch-all” to justify military action that does not fit neatly within the exact wording of the Article. However, Russia’s stance on Article 51 is not absolute. It did invoke the

Article in both the Russo-Georgian War and the Crisis in Ukraine. These facts lead this research

54 to suggest that the current operational environment is more responsible for the Russian stance on

Article 51 as opposed to legal theory.

The fact that the Russian representative to the GGE could provide no consensus on how or even if Article 51 applies to cyber operations is no coincidence. After a successful 2015 GGE meeting that reached some level of consensus, the Russian representative all but left the discussion at the 2017 GGE meeting. The DNI report on Russian activities in the 2016 presidential election was released on January of 2017 and this had a profound impact on discussions of self-defense. Russian experts already point to the West’s general interventionist posture and overutilization of Article 51 in conventional conflicts. Detailed analysis of previous

US military interventions shows little UN Charter support and frequent UN objections (Quigley

412). Some scholars suggest that the 9/11 attacks were more criminal in nature as opposed to an armed attack. This did not prevent the US from invoking Article 51 against the country of

Afghanistan (Quigley 362). Russia can assume that the West is willing to act in self-defense when it determines a country can be linked to an operation. The country is strategically choosing to refuse discussion altogether regarding its application to cyber operations. Any concession would essentially hand a permission slip to the United States if it were to choose to invoke

Article 51 in response to a Russian cyber-attack.

Cyber Security vs. Information Security and International Human Rights Law

Russia is one of the most stalwart supporters of International Human Rights law when it comes to putting pen to paper at the UN. The country is party to most UN Human Rights

Conventions. This includes three to which the United States is not a party; the International

Covenant on Economic, Social, and Cultural Rights; the Convention on the Elimination of All

Forms of Discrimination Against Women; and the Convention on the Rights of the Child. The

Russian Federation and Soviet Union prided themselves on being leaders on the international stage with respect to legal framework in human rights. Yet, within Russia, there is a distinct divide between the codification of human rights and the protection of human rights in practice.

Human Rights Watch cites widespread violations of Russian citizens’ freedom of assembly, association, information, and expression (Human Rights Watch). Freedom House rated the Russian Federation “not free” in its 2018 Freedom in the World report with an aggregate score of 20/100 for political rights and civil liberties (Freedom House). This research does not dispute the fact that many Western countries, including the US are noted in Human

Rights Watch and Freedom House reports for human rights violations. However, the extreme dichotomy between Russia’s presence in international human rights legal framework and the actual protection of human rights is noteworthy.

This dichotomy is due in part to Russia’s view that international law exists primarily and strictly through nation-states. After WWII, Western Europe and the US began to shape international law to view individuals as subjects of it as well as states. Through the Soviet

Union’s and contemporary Russia’s domestic human rights record, it is evident that the country is still in debate over the notion of individuals as subjects of international law. This is not to suggest that the individual has no place in international law according to Russian scholars, but the individual is a subject of the state. Western scholars and specifically US scholars suggest that individuals encompass the state. S.V. Chernichenko stated, “the individual as a subject of international law is a liberal-Western conspiracy. I have seen through it, and I for one will not

56 surrender my original position” (Mälksoo "International Legal Theory in Russia : A

Civilizational Perspective, or Can Individuals Be Subjects of International Law?" 268). E.V.

Sofronova, a legal theorist from Belgorad University, adds that of all the principles of international law, the West has been raising the protection of individual human rights at the cost of state sovereignty, which is visible in numerous humanitarian interventions across the globe

(Mälksoo "International Legal Theory in Russia : A Civilizational Perspective, or Can

Individuals Be Subjects of International Law?" 274). This ideology is directly related to international human rights in cyberspace and creates a distinction between the Western notion of cyber security, centered on protecting the rights of the individual user, and the Russian notion of information security, centered on protecting the state.

Recall that Western scholars apply Articles 1 and 19 of the UDHR and Article 19(2) of the ICCPR to state cyber operations. The Russian proposition for an international legal framework in the Draft UN Convention on International Information Security makes mention of human rights protection, but this is secondary to the interests of the state. The most glaring difference between Western and Russian applications of international law to cyber operations is the notion of cyber security versus information security. The Western idea of cyber security stems from its basic ideology surrounding cyberspace in general. Western countries view cyberspace as an open forum for the free flow of ideas, which has positive benefits for the economy, civil society, and is woven into virtually every aspect of day to day life. Western scholars view international law as protecting the rights of individuals within cyberspace. By contrast, Russia views the information space as an existential threat to its values and political stability and has sought to control all aspects of information within its borders, including through

57 cyberspace. The control of information through cyberspace is simply a continuation of Putin’s policy of controlling media and domestic information since he came to power (Radin, Reach and

NDRI 71). Russia’s Information Security Doctrine states that information warfare is the

“manipulation of the flow of information in the information space of other governments, disinformation or the concealment of information with the goal of adversely affecting the psychological or spiritual state of society, or eroding traditional cultural, moral, and aesthetic values” (Radin, Reach and NDRI 73).

This research does not suggest that Western nation-states are not experiencing ideological struggles between protecting human rights in cyberspace and protecting the interests of the state.

Indeed, there is relevant discussion within the United States at the policy level about net neutrality and security issues posed by social media platforms. Recall the DNI’s inclusion of

Facebook in his report on Russian activities in the 2016 presidential election. The point of incongruence is the intense levels of debate in Western countries involving discussion among citizens, private IT companies, and the public sector before any action is realized with respect to limiting human rights within cyberspace. The default in Russia is that all information through cyberspace is a threat to the regime until it is proven otherwise. This is evident in domestic actions. Through the execution of domestic cyber operations, Russia has demonstrated both its view of cyberspace as a tool for furthering the government’s agenda as well a domain in which it clearly asserts its dominance. After the time of the Duma elections in 2011, the election monitoring NGO Golos published a series of reports on alleged campaign fraud throughout the country. Fearing public dissent and continuing a prolonged crackdown on nongovernment media, the Russian government targeted the Golos website with DDoS attacks (Wegren 141).

Chapter 4: Implications and Conclusion

It is apparent through this research that the differences in the application of international law to cyber operations among nation-states causes significant issues in international relations.

The main consequence is that nations with different applications of international law operate within cyberspace according to their own ideas of permissibility. This causes ambiguity in what constitutes a state of peace or war. Peaceful actions by some may be considered hostile actions by others. Assumptions by US policymakers and strategists that there exists a universal understanding of international law leads to ineffective cyber strategies and miscalculations of an adversary’s actions.

International treaties in the fields on conventional and nuclear conflict provide nation- states with some level of stability and predictability. Within cyberspace, no such universal consensus exists to date (Giles et al. 2). In light of this lack of consensus and the breakdown of top-down diplomacy through the GGE process, there are three options for the US moving forward. It can: 1) focus on developing a body of customary international law by developing behavior and practices in cyberspace, 2) continue attempts to achieve consensus through the creation of new law or adhering to existing law, or 3) focus on more immediate concerns regarding cybersecurity in areas of consensus below the use of force.

This research suggests that the US should focus on all three options as a combined policy moving forward. In lieu of consensus on the application of international law, the US can only directly influence the creation of cyberspace norms through active cyber operations that begin to shape the parameters of acceptable behavior. The US must recognize that as international cyber

59 norms develop, the nation-states with the greatest influence in cyberspace will guide the discussion (Fischerkeller and Harknett 381). The failure of the GGE process due to ideological differences between the West and Russia must not stall future discussion on international law and state cyber operations. The US specifically attempted to gain consensus too soon with respect to the inherent right to self-defense, state responsibility, and countermeasures (Segal

"The Development of Cyber Norms at the United Nations Ends in Deadlock. Now What?"). Its insistence on consensus at the 2017 GGE meetings ended in disaster. The US should come to the table in future discussions with a less aggressive posture and seek incremental agreement.

Finally, there are a plethora of cyber security concerns where most countries are in agreement.

Many of these relate to attacks against critical infrastructure, emergency services, non-state terrorist actor attacks, and economic espionage against private companies. The US should capitalize on areas of agreement with the Russian Federation. Achieving consensus on areas of common interest serves as a launching point for further discussion. Two things are certain. Cyber operations for the purpose of furthering state power, wealth, and influence are increasing and countries will apply international law incongruously to state cyber operations for the foreseeable future. The US plays an important role in shaping this environment. US policymakers and strategists should incorporate this combined policy in future negotiations as opposed to recoiling at the suggestion that a contradictory Russian approach to international law exists.

References

Blackwill, Robert, and Philip Gordon. "Containing Russia, Again: An Adversary Attacked the United States—It’s Time to Respond." Council on Foreign Relations 2018. Web. Chernenko, Elena. "Belarus Chose to Make the Internet Safer." (2012). Web. February 28, 2018. ---. "Opposition of Superpowers." (2017). Web. March 1, 2018. Clinch, Matt. "Read the Full Russia 'Oligarch List' Released by the Us Treasury." CNBC 2018- 01-30 2018. Web. February 8, 2018 2018. Conflict Studies Research Centre. Russia's "Draft Convention on International Information Security" : A Commentary. Oxford2012. Print. Connell, Michael, Sarah Vogler, and CNA Corporation. "Russia's Approach to Cyber Warfare." (2017). Print. Council of Europe. "Action against Cybercrime." 2018. Web. February 28, 2018. ---. Convention on Cybercrime, Budapest, 23 November 2001. Strasbourg: Council of Europe, 2002. Print. Council on Foreign Relations. "Connect the Dots on State-Sponsored Cyber Incidents." (2018). Print. De Falco, Marco. Stuxnet Facts Report: A Technical and Strategic Analysis. Tallinn: NATO CCDCOE, 2012. Print. Department of Justice. "Grand Jury Indicts Thirteen Russian Individuals and Three Russian Companies for Scheme to Interfere in the United States Political System." 2018. Web. February 20, 2018 2018. DeYoung, Karen, Ellen Nakashima, and Emily Rauhala. "Trump Signed Presidential Directive Ordering Actions to Pressure North Korea." Article. Washingtonpost.com 2017/09/30/ 2017. Print. Fischerkeller, Michael P., and Richard J. Harknett. "Deterrence Is Not a Credible Strategy for Cyberspace." Orbis 61.3 (2017): 381-93. Print. Freedom House. "Freedom in the World 2018: Russia Profile." Freedom House 2018-01-05 2018. Web. March 4, 2018. Giles, Keir, et al. "Legality in Cyberspace : An Adversary View." (2014). Print. Giles, Keir., and International Conference on Cyber Conflict. "Russia's Public Stance on Cyberspace Issues." (2012): 1-13. Print. Green, James A. Cyber Warfare : A Multidisciplinary Analysis. 2016. Print. Greenberg, Andy. "'Crash Override': The Malware That Took Down a Power Grid." Wired 2017. Print. Grigsby, Alex. "Will China and Russia’s Updated Code of Conduct Get More Traction in a Post- Snowden Era?" Council on Foreign Relations 2015. Web. March 1, 2018. Groll, Elias. "‘Obama’s General’ Pleads Guilty to Leaking Stuxnet Operation." Foreign Policy 2016-10-17 16:56:07 2016. Web. February 12, 2018 2018. Harrison Dinniss, Heather. Cyber Warfare and the Laws of War. New York: Cambridge University Press, 2012. Print. Human Rights Watch. "World Report 2018: Rights Trends in Russia." 2018-01-04 2018. Web. March 4, 2018. 61

Joubert, Vincent, Nato Defense College, and Organization North Atlantic Treaty. Five Years after Estonia's Cyber Attacks : Lessons Learned for Nato? Rome: NATO Defense College, Research Division, 2012. Print. Korns, Stephen W., and Joshua E. Kastenberg. "Georgia's Cyber Left Hook." Parameters XXXVIII.4 (2008). Print. Kotkin, Stephen. "Russia's Perpetual Geopolitics Putin Returns to the Historical Pattern." Foreign Affairs 95.3 (2016): 2-9. Print. Lo, Bobo. Russia and the New World Disorder. 2015. Print. Markoff, Michele. "Explanation of Position at the Conclusion of the 2016-2017 Un Group of Governmental Experts (Gge) on Developments in the Field of Information and Telecommunications in the Context of International Security | Usun.State.Gov." 2017. Web. March 2, 2018. Mehta, Rupal, and Rachel Whitlark. "The Iran Nuclear Deal Isn’t So Great — for Iran." The Washington Post. 2018 (2017). Web. Mälksoo, Lauri. "International Legal Theory in Russia : A Civilizational Perspective, or Can Individuals Be Subjects of International Law?" The Oxford handbook of the theory of international law (2016): 257-75. Print. ---. Russian Approaches to International Law. 2015. Print. Nakashima, Ellen. "Russian Military Was Behind ‘Notpetya’ Cyberattack in Ukraine, Cia Concludes." 2018. Print. NATO. "Bucharest Summit Declaration - Issued by the Heads of State and Government Participating in the Meeting of the North Atlantic Council in Bucharest on 3 April 2008." 2018. Web. O'Dwyer, Gerard. "Nato Might Trigger Article 5 for Certain Cyberattacks." Federal Times (2017). Print. Ohlin, Jens David. "Did Russian Cyber Interference in the 2016 Election Violate International Law?" Texas Law Review 95.7 (2017). Print. Oliphant, Roland, and Cara McGoogan. "Nato Warns Cyber Attacks 'Could Trigger Article 5' as World Reels from Ukraine Hack." The Daily Telegraph 2017. Print. Osula, Anna-Maria, Henry Rõigas, and NATO CCDCOE. "International Cyber Norms : Legal, Policy & Industry Perspectives." (2016). Print. Ottis, Ryan. "Analysis of the 2007 Cyber Attacks against Estonia from the Information Warfare Perspective." Proceedings of the 7th European Conference on Information Warfare and Security (2008): 163-68. Print. Quigley, John B. The Ruses for War : American Interventionism since World War Ii. Amherst, N.Y.: Prometheus Books, 2007. Print. Radin, Andrew, Clint Reach, and NDRI. "Russian Views of the International Order." (2017). Print. Robert Kehler, C., Herbert Lin, and Michael Sulmeyer. "Rules of Engagement for Cyberspace Operations: A View from the Usa." Journal of Cybersecurity (2017). Print. Ryan, Missy, Ellen Nakashima, and Karen DeYoung. "Obama Administration Announces Measures to Punish Russia for 2016 Election Interference." The Washington Post 2016. Print.

Rõigas, Henry. "An Updated Draft of the Code of Conduct Distributed in the United Nations – What’s New?" 2015-02-10 2015. Web. March 1, 2018. Sanger, David. "Iran Fights Malware Attacking Computers." The New York Times 20100925 2010. Web. February 9, 2018 2018. Sanger, David E. "Obama Order Sped up Wave of Cyberattacks against Iran." Article. The New York Times 2012/06/01/ 2012: A1(L). Print. Sanger, David E., and William J. Broad. "Hand of U.S. Leaves North Korea's Missile Program Shaken." Article. The New York Times 2017/04/19/ 2017: A10(L). Print. Schmitt, Michael N. Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. 2017. Print. Segal, Adam. "The Development of Cyber Norms at the United Nations Ends in Deadlock. Now What?" Council on Foreign Relations 2017. Web. March 5, 2018. ---. The Hacked World Order : How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age. 2016. Print. ---. "Tracking State-Sponsored Cyber Operations." @CFR_org 2018. Web. Systems, SANS Industrial Control. Analysis of the Cyber Attack on the Ukrainian Power Grid. Washington, D.C.2016. Print. United Nations. "Charter of the United Nations." 2015-08-10 1945. Web. February 22, 2018. ---. "Repertoire of the Practice of the Security Council." United Nations 20-07-2009 2009. Web. February 23, 2018. United Nations General Assembly. A/66/3592011. Print. ---. A/69/7232015. Print. ---. A/70/1742015. Print. ---. "Developments in the Field of Information and Telecommunications in the Context of International Security." A/RES/53/701999. Print. ---. "Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security." A/68/982013. Print. Hague and Geneva Conventions. 1911. [Govt. Print. Off. Print. United States, Office of the Director of National Intelligence, and National Intelligence Council. "Assessing Russian Activities and Intentions in Recent Us Elections." (2017). Print. United States, and President. National Security Strategy. Washington: White House, 2010. Print. United States Executive Office of the President. A National Security Strategy for a New Century. [Washington, D.C.]: White House, 1998. Print. Hague and Geneva Conventions. 1911. [Govt. Print. Off. Print. United, States, Intelligence Office of the Director of National, and Council National Intelligence. "Assessing Russian Activities and Intentions in Recent Us Elections." (2017). Print. United States President. National Security Strategy of the United States. [Washington, D.C.]: The White House, 2017. Print. US-CERT. "Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors." 2018. Web. March 22, 2018. Wegren, Stephen K. Putin's Russia : Past Imperfect, Future Uncertain. 2016. Print. Zetter, Kim. "Inside the Cunning, Unprecedented Hack of Ukraine's Power Grid." Wired (2016). Web.