Britain can legally launch cyber attacks on hostile states that hack key services, the Attorney General has said.
In a speech to be delivered at Chatham House on Thursday, Suella Braverman will argue that international law applies as equally in the cyber world as in the real world, where the principle of “non-intervention” in another country’s affairs allows states to take defensive countermeasures.
In the wake of Russia’s cyber and real warfare against Ukraine, she said this meant that states could legally introduce sanctions as well as cyber countermeasures, provided they were “proportionate” to the unlawful attack by a hostile state.
She will warn that international “rules of the road” needed to be established in order to prevent future attacks that could have devastating effects on communities.
“International law matters in cyberspace because if we don’t shape the rules here, if we don’t have a clear framework to counter hostile activity in cyberspace, and if we don’t get cyber security right, the effects will be likely to be felt more often and in hugely disruptive ways by ordinary people,” she said.
Ms Braverman cited one example of a council hit by a single cyber breach in 2020 which disrupted services to the local population for months by shutting down IT systems and stopping it from carrying out property purchases. It cost the authority £10 million.
‘Vacuum’ over applying international law in cyberspace
Speaking to The Telegraph ahead of her speech, she said that there was “confusion” and a “vacuum” over how international law should apply in cyberspace. She believed that there would be a consensus but there was, as yet, no legal document.
The Attorney General also believed that the governing principle should be the international law of non-intervention, which prohibits coercive acts by one state that adversely or detrimentally interfere with the sovereign activities of another.
Ms Braverman said that the next step was to establish the types of “coercive and disruptive” acts that would be deemed unlawful.
She identified four of the most significant sectors vulnerable to cyber attacks: energy security, essential medical care such as hospitals, economic stability which would include disrupting supply chains, and democratic processes such as elections.
Last week, the UK, US, EU and other allies announced that Russia has been behind a series of cyber attacks since the start of its illegal invasion.
The most recent attack on communications company Viasat in Ukraine had a wider impact across the Continent, disrupting wind farms and internet users in central Europe.
Ms Braverman said that being clear about what was unlawful meant that states could then be clearer about the range of potential options that could lawfully be taken in response.
“If a state says ‘We believe we have been on the receiving end of an unlawful cyber attack’, they would legitimately have a right to respond through countermeasures,” she said.
“It could include economic sanctions, restricting freedom of movement. That is visa bans – you could exclude a nation from an international grouping and other diplomatic measures.”
Asked if it could include cyber attacks against the hostile state, she said: “They can be of the same character. They could involve cyber and non-cyber. If you have clearly established unlawfulness and if it was the most effective and most proportionate means [of responding], it would be justified. It is defensive cyber, effectively.”