ARGUMENT: CyberthreatsWhat Would Happen If States Started Looking at Cyber Operations as a “Threat” to Use Force?

How are threats of force conveyed in cyberspace? When hackers compromised the SolarWinds Orion software in the spring of 2020, they trojanized the so-called Sunburst backdoor, a system designed to communicate with third-party providers. Through that backdoor, the hackers could execute commands, including disabling services and rebooting machines.

Duncan B. Hollis and Tsvetelina van Benthem write in Lawfare that this operation was effectively a power transfer and a significant one, at once giving those actors an “eye” into all of the victim’s data and a finger on the trigger. “Regardless of how one qualifies the operation against SolarWinds, how the features of such operations interact with the rules of international law requires attention,” they write.

Public reporting about SolarWinds suggests the operation was limited to data exfiltration from a circumscribed group of victims that did not suggest any future use of force. Nonetheless, the case raises a question: “If the presence of backdoors in a victim’s network allows for future exploits capable of causing functionality losses generating destruction (or even deaths), could their presence be seen as threatening such results? More broadly, when does a cyber operation that does not itself constitute a use of force threaten force?” they ask.

They add:

Article 2(4) of the U.N. Charter requires member states to refrain from both the “threat” and the “use” of force. When it comes to cyberspace, the latter prohibition has spawned seemingly endless discussions among states (for recent roundups, see, for example, here and here) and scholars alike (see here, here, here, here, and, of course, here). International legal discourse is entering its third decade of debates on what constitutes a use of force in cyberspace, how to assess scale and effects in this new environment, and whether cyber operations that the international community has already observed, such as Stuxnet or NotPetya, qualify as a use of force or even rise to the level of an armed attack to which states can respond in self-defense. In contrast, the prohibition on the threat to use force has received almost no attention. Considering the recent drastic upsurge in cyber operations, and their diverse means, methods, and effects that individually (or collectively) imply a risk of further operations, there is a need for more dialogue about the obligation to refrain from the threat of force in cyberspace.

Hollis and van Benthem say they hope to launch that conversation, exploring an otherwise underutilized obligation in the international legal arsenal that may yet have an important role to play in regulating state and state-sponsored cyber operations.

The conclude:

A careful consideration of the prohibition on threats to use force in cyberspace is both useful and necessary. It offers a way to reorient the law’s application—to think about the law applying not just to what states do but also to what those actions threaten to do, whether expressly or implicitly. A precise threshold for assessing cyber operations through the lens of threats of force is yet to be fully fleshed out. The goal of this post is more modest—to call on states and other stakeholders to recognize the reality and thus the potential of using Article 2(4) of the U.N. Charter to bar not just uses of force in cyberspace but also threats of such force by equal measure.