The Russian war against Ukraine has so far included only occasional and incidental cyberattacks. As Russia’s losses in the conventional war mount and the impact of sanctions and Western military aid to Ukraine take a toll, Russia may escalate cyber intrusions even in NATO States in retaliation for their support of Ukraine. International law provides unclear guardrails for cyber conflict, and the potential for NATO involvement in an escalatory conflict with Russia is growing.
Introduction: Ukraine Dodges the Cyber Bullet, So Far
On April 12 Ukrainian officials reported that they had thwarted a Russian cyberattack on Ukraine’s electric grid that could have knocked out power to two million people. Had the hack been successful, the sophisticated malware that Russia’s G.R.U. military intelligence unit employed would have made it difficult to restore power by effectively taking over industrial control systems. Such a grid shutdown would have paralyzed much of western Ukraine, including communications, emergency services, and other components of critical infrastructure. The effects could have been devastating, especially at a time when Ukraine was fighting for its very survival in a bloody war with Russia.
Cyberattacks have accompanied conventional Russian military tactics since its invasion of Ukraine began on February 24. Russian hackers struck the Ukraine Defense Ministry, its army, and two of its banks online in the early weeks of the war and have regularly targeted critical Ukrainian infrastructure. However, the April 12 attempt to switch off the lights was far more advanced, and the implications of its use by Russia are far more provocative. If the war does not progress as Putin planned, might Russia put pressure on Ukraine and NATO through increasingly intrusive and impactful cyberattacks? If that happens, how will NATO respond? Might NATO invoke its collective self-defense mechanism? What responses to significant cyber intrusions are permitted by international law? As the war grinds on and casualties and costs mount, the risk of significant Russian cyberattacks increases, likely targeting states that are aiding the Ukraine war effort. If such attacks impact NATO States, the Council will face an unprecedented tangle of legal and policy challenges.
The Role of NATO
The North Atlantic Treaty Organization (NATO) was created by treaty in 1949 with 12 members and now has 30, with Finland and Sweden considering membership in the wake of Russian aggression. The key security commitment of member States is Article 5, which states, “The Parties agree that an armed attack against one or more of them in Europe or North America shall be considered an attack against them all.” Could a cyberattack by Russia targeting one or more member States constitute an “armed attack”? If so, what lawful response options would the alliance have?
Article 5 was written with kinetic war in mind. How should the post-World War II framework accommodate the contemporary reality that conflicts between States now frequently take place in cyberspace? The consensus view among scholars and NATO States is that cyber operations may rise to the level of an armed attack, but only when the consequences to the victim State are especially grave. The alliance has not clearly determined the contours of the armed attack threshold. Any NATO response to a cyberattack is further complicated by the additional treaty language that each member is only required to take “such action as it deems necessary, including the use of armed force,” and only “in accordance with each nation’s constitutional processes.” In other words, Article 5 may authorize NATO action in response to a significant cyberattack, but only as each State “deems necessary” and only in accord with its domestic laws.
In 2014 NATO established cyber defense as a core mission in its collective defense. Yet NATO is a command and control center relying on equipment and personnel provided by members. Thus, any NATO response to a Russian cyberattack would be undertaken by one or more member States. In addition, cyberattacks can be and often are difficult to attribute quickly, and Russia is experienced in denying responsibility for its cyber activities.
The Risks of Escalation
While the cyber domain has not yet been a significant component of Russia’s offense against Ukraine, it does not mean that assuring strong cyber defenses among NATO States can be put on the back burner in the face of a spreading conventional war. Many will recall that the GRU launched the NotPetya attack against Ukrainian targets in 2017 and that the malware was misdirected, spread globally, and caused around $10 billion in commercial harm to Western companies. Russia’s use of proxies for offensive cyber operations illustrates the continuing danger posed by Russia in the cyber domain. If the Russian military continues to struggle against its Ukrainian counterparts, and with Western sanctions greatly impacting the Russian economy, might Putin escalate with offensive cyberattacks by proxies against the West and NATO? If he does, successful Russian cyberattacks against industrial control systems and critical infrastructure, the potential consequences could be devastating for NATO.
More important perhaps is that a tit-for-tat series of cyberattacks between Russia and NATO could itself feed a cycle of escalation, perhaps leading to Russian use of chemical weapons or even detonation of a tactical or low-yield nuclear weapon. On April 15, 2022, Russia warned the Biden administration to stop supplying advanced weapons to Ukrainian forces or face “unpredictable consequences,” suggesting both that the weapons were effectively blunting the Russian military offensive and that Russia might attempt to target or sabotage some of those weapons shipments while still in NATO territory or attack NATO in some other way, such as by cyber means. Such an attack by Russia, if verified, would almost surely meet the “armed attack” threshold.
Russia and NATO member states will likely continue to seek to avoid a direct military clash. So far both sides have practiced nuclear deterrence rhetoric for all to see. However, when the battlefield expands to cyberspace the laws and norms of war versus peace do not have a ready-made template. In contrast to conventional military conflicts, there are currently no red lines when offensive cyberattacks escalate to a harmful scale.
Suppose Russia attempts to disable the computers at the London Stock Exchange or NASDAQ, or the data servers of large banks in the West that have curtailed their operations in Russia. Western intelligence officials know that Russia can target underwater cables and industrial control systems, not to mention their ability to penetrate and shut down the U.S. electric grid. While similar Russian provocations in recent years have prompted only tepid responses from Western nations, would significant cyberattacks perpetrated by Russia demand more aggressive cyber replies in the midst of the war in Ukraine? What are the options – turning out the lights in Moscow? Taking down the servers at GRU? What are the risks of escalation?
For better or worse international law is hardly crystal clear when it comes to clarifying NATO response options to feared Russian cyber operations. If Russia undertakes cyber operations that target NATO States, any such operation that causes harmful effects in the victim State violates State sovereignty. “Harmful effects” is, of course, an open-ended term. If Russian cyber operations cause physical damage or injury in a NATO State, an unlawful breach of territorial sovereignty has occurred. If the cyberattack causes only a loss of functionality or manipulation or alteration of data, States have found a sovereignty violation when the loss is serious and permanent. NATO has taken the position that cyber operations may constitute unlawful uses of force in violation of the UN Charter and customary international law based upon their “scale and effects.” Only a few member States have spoken about what factors would be decisive in determining whether a threshold of scale and effects has been reached.
In addition, self-defense under Article 51 of the United Nations Charter allows States to engage in otherwise unlawful conduct – including the use of force – to defend themselves. Because “individual or collective” self-defense under Article 51 may be invoked only in the event of an “armed attack,” Article 51 is unlikely to be triggered following a cyber intervention except in extreme circumstances as suggested above. Nevertheless, the fact that collective self-defense is lawful under the Charter permits some NATO States to rely on Article 5 to come to the aid of other attacked NATO States with cyber or kinetic defenses.
Ironically, perhaps the most important player early in the Ukraine war that helped avoid confrontation between Russia and NATO States was Microsoft. At the encouragement of U.S. Deputy National Security Adviser Anne Neuberger, NATO States allowed Microsoft to penetrate and then neutralize Russian malware that was targeting Microsoft products used by Ukrainian authorities. This ad hoc public-private partnership happened quickly, did not cross the threshold of coercive action, and avoided at least for now a direct confrontation in cyberspace between NATO and Russia.
However as the escalatory dynamics evolve, there is a clear legal basis for NATO using cyber or other means in support of Ukraine. Because Russia has attacked Ukraine, if Ukraine authorities request NATO participation in the collective self-defense of Ukraine, the use of force in response to Russian armed attacks comports with international law. The fact that Russia has often had non-state groups such as the Internet Research Agency conduct cyber operations on its behalf does nothing to undermine Russian state responsibility whenever the hackers are operating pursuant to Russia’s “instructions, or direction or control”
Luck and the continuing resolve of Ukrainian forces and their leadership may allow for a cease-fire and settlement terms to emerge. Yet if Russia continues to be backed into tactical and strategic corners on the battlefield and in the face of NATO State sanctions and military support for Ukraine, Putin may believe that he has little left to lose in provoking NATO into defending member States, through cyber or other means. If that happens, we all have much to fear.
. . .
William Banks is a Board of Advisers Distinguished Professor emeritus for the College of Law/Maxwell School of Citizenship and Public Affairs at Syracuse University, Editor for the Journal of National Security Law & Policy, and founder and director at the Institute for National Security and Counterterrorism. He was Interim Dean for Syracuse University College of Law and has served as a Special Counsel to the U.S. Senate Committee on the Judiciary.
A year ago, Russia’s cyberwar against Ukraine was reviled as it deployed hostile information and systems interventions with synchronized physical hostilities. Yet, the results of the cyberwar have been far…
ChatGPT and other natural language models have recently sparked considerable intrigue and unease. Governments and businesses are increasingly acknowledging the role of Generative Pre-trained Transformers (GPTs) in shaping the cybersecurity…