Retaliation against cyber attacks would be lawful under international law, the attorney general said today in a speech warning ‘hostile actors’ against 'covert cyber intruders'. Jeremy Wright QC MP also set out a legal basis for the UK's 'National Offensive Cyber Programme' set up by the Ministry of Defence and GCHQ.
Addressing an event at Chatham House, Wright said that as far back as 2015 a UN expert group - 'including not just the UK and the US but also Russia and China' - recognised that the UN Charter applies to cyberspace. This 'affirmed the relevance of a state’s inherent right to act in self-defence in response to a cyber operation meeting the threshold of an armed attack', he said.
Examples of attacks meeting that threshold include interference with the operation of a nuclear reactor or to disable air traffic control systems with resulting loss of life, he said. 'Acts like the targeting of essential medical services are no less prohibited interventions ... when they are committed by cyber means.'
Wright set out three rules of the UN Charter governing cyber warfare, on top of customary international law:
- Article 2(4), prohibiting the threat or use of force against the territorial independence or political integrity of any state.
- Article 2(7), prohibiting interventions in the domestic affairs of states. 'This prohibition means that any activity in cyberspace which reaches the level of such an intervention is unlawful.'
- Article 51, recognising that cyber operations resulting in, or presenting an imminent threat of, death and destruction on an equivalent scale to an armed attack give rise to an inherent right to take action in self-defence.
Wright denied that building a 'sovereign offensive cyber capability' destabilises or weaponises cyber space. There is an obligation on each state to ensure use and development are carried out in accordance with international law, he said.