Chief legal advisor to government says UK can legally launch cyberattacks against hostile nations, and calls for international “rules of the road”
The United Kingdom can legally launch cyberattacks against hostile nation states, that attack critical industries, the Attorney General has confirmed.
The clarification was provided by Attorney General, the Rt Hon Suella Braverman QC MP, when she set out the UK’s position on applying international law to cyberspace in a speech at Chatham House.
While explaining how countries using defensive countermeasures if key services are targetted, Braverman also called for global agreement on international law and how it should be applied in cyberspace.
During the speech, the Attorney General said the united international response to the illegal invasion of Ukraine illustrated the need to have a clear framework for cybersecurity that makes clear when state action is unlawful.
However Braverman insisted that cyberspace is not lawless and argued that a cyberattack should be treated the same as physical attack, and that nation states must lead the debate on what they see as the ‘rules of the road’.
The Attorney General said that nation states can legal introduce sanctions as well as cyber countermeasures, provided they were “proportionate to an unlawful attack by a hostile nation.”
Braverman pointed out that the threat from cyberattacks is very real, and disruptive state cyber behaviour has caused chaos across the world. She cited that before its illegal invasion of Ukraine, Russia targeted destructive malware against hundreds of systems across Ukraine affecting its IT, energy, and financial sectors.
“The United Kingdom’s aim is to ensure that future frontiers evolve in a way that reflects our democratic values and interests and those of our allies,” said AG Braverman.
“The law needs to be clear and well understood if it is to be part of a framework for governing international relations and to rein in irresponsible cyber behaviour,” she added. “Setting out more detail on what constitutes unlawful activity by states will bring greater clarity about when certain types of robust measures are justified in response.”
Speaking to the Daily Telegraph about the matter, she admitted there was “confusion” and “vacuum” over how internal law should apply in cyberspace. She believed that there would be a consensus but there was, as yet, no legal document.
And she stressed the governing principle should be the governing principle of non-intervention, but steps would need to be agreed if a nation faces “coercive and disruptive” acts that are deemed unlawful.
She identified the four most significant sectors vulnerable to cyber attacks:
- energy security;
- essential medical care (i.e. hospitals);
- economic stability (including supply chain disruption);
- democratic process (elections etc).
She said clearing up international law on these matters would meant nation states could be clear about the range of potential options that could lawfully be taken in response.
“If a state says ‘We believe we have been on the receiving end of an unlawful cyberattack‘; they would legitimately have a right to respond through countermeasures,” she told the Daily Telegraph.
“It could include economic sanctions, restricting freedom of move. That is Visa bans – you could exclude a nation from an international groups and other diplomatic measures.”
The Telegraph then asked her if it could include cyberattacks against the hostile state.
“They can be of the same character,” she replied. “They could involve cyber and non cyber. If you clearly established unlawfulness and if it was the most and most proportionate means (of responding), it would be justified. It is defensive cyber, effectively.”
Waiting for international law
The intervention of the UK’s Attorney General about the legalities concerning cyberattacks by nation states was noted by Jake Moore, global cybersecurity advisor at ESET.
The Slovakia-based cybersecurity specialist recently helped foil a cyberattack by Russia’s GRU on Ukraine’s energy grid.
“Cyber law is one of the most complex and difficult areas to manage due to how the occurrences are often unattributable to any particular country,” said Moore. “The dynamics and of course the differences between nations can cause conflict of their own or even the ability to avoid any given situation.”
“Clearly a framework to counter hostile states is vital but the intricacies in this context remains a difficulty in its own right to agree on,” said Moore. “It is clear that more needs to be done to combat as well as fight international cybercrime such as espionage and increasing cyber war but waiting for a set of international rules can often leave a far greater opportunity given the time it takes for this approval.”
Last year US President Joe Biden directly addressed the issue of cyberattacks, and he admitted they could cause a ‘real shooting war’ with a ‘major power’.
This issue was also raised during face-to-face talks between President Biden and Vladimir Putin in June 2021.
Ever since 2011 the United States said it reserved the right to retaliate with military force against a cyberattack from a hostile state.
UK’s cyber arsenal
The UK government unveiled in December its National Cyber Strategy, to ensure the country has the necessary means to defend itself in cyberspace.
However the United Kingdom has been steadily growing its offensive cyber capabilities over the past decade.
The exact nature of the UK’s offensive cyber weaponry is a closely guarded secret, but in a submission to a report December 2017 by parliament’s intelligence and security committee, GCHQ said the capabilities of its cyber unit extended to “the high end of counter state offensive cyber capabilities.”
In April 2018 the government confirmed it had carried out a cyberattack on the ISIL or Islamic State terrorist group.
National Cyber Force
And in October 2021 the UK revealed the headquarters of the National Cyber Force (NCF) in Samlesbury, Lancashire.
This is a specialist cyber force that targets terror groups and hostile nation states.
It was officially launched in November 2020.
The NCF combines personnel from intelligence, cyber and security agency GCHQ, the MoD, the Secret Intelligence Service (MI6) and the Defence Science and Technology Laboratory (DSTL), under one unified command for the first time.
Its remit is to carry out offensive cyber operations, which “can disrupt hostile state activities, terrorists and criminals threatening the UK’s national security – from countering terror plots to conducting military operations.”