Eight months after the NotPetya ransomware/wipeware disabled 10% of computers in Ukraine, and inflicted financial costs amounting to 0,5% of Ukraine’s GDP and over $1 billion worldwide the Five Eyes countries (Australia, Canada, New Zealand, the UK, the US) and Denmark attributed its use to the GRU, Russia’s military intelligence service.
The US, having called out states’ malicious behavior in cyberspace in the past (e.g. the 2014 Sony Pictures hack and the 2017 WannaCry ransomware attack by North Korea) this time pledged that “international consequences” would follow “the most destructive and costly cyberattack in history.” Interestingly, according to the Russian anti-virus company Kaspersky, BadRabbit ransomware that four months later targeted news and media outlets in Russia and also Kiev metro and Odessa airport in Ukraine was executed by the same hackers as NotPetya.
Melissa Hathaway and many other cyber security experts have argued that the lack of strong and predictable responses to cyber-attacks decreases international stability and security in cyberspace. Indeed, state-affiliated cyber-attacks in the last years have become more sophisticated, demonstrating both that states do not exercise self-restraint even when they have agreed to do so, and that damage to critical infrastructure has become the “new normal.” For example, Russia’s cyber activities against Ukraine have matured over the past four years. In spring 2014, low-level cyber activity, mainly cyber espionage and denial-of-service attacks, was observed in Ukraine (exception to this trend is a more sophisticated cyber-attack against the Ukrainian Election Committee); however, in 2015 and 2016 cyber-attacks caused power outages and disrupted several public services, while in 2017 NotPetya disabled financial and other critical infrastructure. In 2014 Anonymous Ukraine and CyberBerkut (the latter has been linked to the GRU) were the suspected culprits, while in 2017 the Russian military was implicated in the attacks.
What type of legal, political, diplomatic, cyber, and economic responses are available to deter Russia and other rogue states from undertaking destructive cyber operations in the future? Under international law many of the possible responses are illegal unless they fulfill specific conditions. A state can respond to cyber-attacks only in cases where the cyber operation constitutes a “use of force” under UN Charter Article 2 (4), an “armed attack” under Article 51, or an “internationally wrongful act.” A number of legal scholars agree that ransomware attacks can constitute violation of sovereignty. Michael Schmitt, an editor of Tallinn Manual on the International Law Applicable to Cyber Operations 2.0, takes the view that if malware destroyed or altered data (which NotPetya did), the sovereignty of Ukraine and other target countries was violated; accordingly, these countries could apply countermeasures as long as these are proportionate and intended to compel Russia to cease its operations. Furthermore, among other limitations on the use of countermeasures, a targeted country must first call upon the aggressor to stop its wrongful actions and, if feasible, declare its intent to use countermeasures
It is not clear if NotPetya met the threshold of an armed attack by causing “serious economic impact”, “significant physical damage or injury,” or the “destruction of critical infrastructure.” If Ukraine deemed the physical or economic impact was serious enough, it could therefore respond by use of kinetic force as long as the response is proportional, necessary, imminent, and immediate. The jury is still out there on the question of what kind of responses are legal under international law to a NotPetya type of attack. Unfortunately, there has been no public discussion about whether various state-attributed cyberattacks constitute the use of force, or whether they meet the definitions of a use of force, an armed attack or internationally wrongful act.
What is clear is that in addition to violating state sovereignty, Russia violated political (if legally non-binding) voluntary norms to which it has agreed. The 2015 UN Group of Governmental Experts report stipulated that states should not conduct or knowingly support ICT activity that intentionally damages or impairs critical infrastructure. Andrei Krutskikh, the Russian Presidential Special Envoy for International Cooperation in Information Security, who contributed to the report, confirmed that Russia’s main goal is to prevent using ICT in the political and military purposes. Nevertheless, Russia launches disruptive cyber-attacks against critical infrastructures, and dismisses their attribution to its security services and military by claiming that the charges against it must be based on the proven evidence. The use of information and cyber tools is part of Russia’s long-term campaign to undermine liberal democracies, and to keep Ukraine and other countries in its self-declared “sphere of influence”. As long as “hard evidence” of attribution is not presented publicly, Russia has no reason to alter its rhetoric and behavior. Nevertheless, Russia should be consistently called out for its behavior in various international fora, and Russian individuals and companies responsible for attacks should be made to pay a financial price for their actions.
So far, the political response has been relatively minimal: six democratic countries have attributed NotPetya cyber-attacks to Russia. Public attribution is a strong signal that the West is not going to tolerate increasing recklessness forever. Attribution can be considered a “proactive response”, as Thomas Rid puts it. The US has previously responded to state-affiliated cyber-attacks with “naming and shaming,” a tactic that so far has not seemed to have any great impact on perpetrators.
Apart from calling states out states for bad behavior, there are other potential responses that would likely be more effective in deterring malicious cyber activity. Hackers can be indicted, diplomats can be expelled, economic sanctions can be imposed on individuals and companies, and individuals’ personal information can be stolen and leaked. For example, after the 2014 Sony Pictures hack the US applied financial sanctions to North Korea, and imposed both sanctions and the expulsion of diplomats after Russia’s interference in its 2016 elections. Nevertheless, Russia continues to interfere in elections worldwide, and North Korean hackers continue to use malware for profit. Hidden, clandestine, or low-visibility cyber operations can also be undertaken, but the risk of conflict escalation, collateral damage, and other negative consequences must be taken into consideration. The US is not likely to respond with offensive cyber means unless Russia conducted a significant cyber-attack against the US territory. It would likely respond to low-level attributable cyber intrusion against its territory with “loud cyber weapons” that can be traced back to the US military, or with low-level intrusions into Russian networks.
Looking at Russia’s past responses to Western accusations, Russian standard response is to issue denials, make counter-accusations (e.g. that Russia is being “demonized”), and to change the subject. For example, Russia alleges that even if cyber-attacks against Ukraine originated in Russia, they were the actions of patriotic individuals who were keen to promote Russian national interests. When the UK government attributed NotPetya to Russia, the response from Alexander Yakovenko, Russian Ambassador to the UK, was to accuse “the international community” of ignoring Russia’s constructive proposals to fight cybercrimes (notably the UN draft “Convention on Cooperation in Combating Information Crimes”), at the same time noting that the same international community increasing supports the Russian draft (!).
Whether it would be legal under international law or politically prudent to respond to Russia’s growing aggressiveness in cyberspace with cyber operations remains at this point an unanswered question that merits public debate. It is not clear whether such responses would have any effect on Russia’s calculus. It is safe to predict that none of the abovementioned responses is likely to stop it gaining from low-cost, low-risk, low-visibility malicious cyber operations. In June 2017 NATO CCD COE researchers wrote that “NotPetya and WannaCry call for a joint response from international community”, and that targeted countries should launch a special joint investigation. Even though these attacks have been attributed to the states that carried them out the question of the right response is one that still remains unanswered.