Defensive cyber attacks may be justified, says attorney general

The UK’s attorney general Suella Braverman has indicated that the UK may be justified in launching defensive cyber attacks against hostile nation-states, should agreement be reached in the international community on the cyber rules of engagement, and how international law is applied in cyber space.

In an interview with the Daily Telegraph given ahead of a planned speech on the subject at Chatham House, Braverman appeared to confirm that a cyber attack would be justified should it be determined it is in line with international law.

She said it was her belief that established international law applies to cyber warfare as it does to kinetic warfare, where principles of non-intervention permit countries to take defensive countermeasures against aggression.

Braverman told the newspaper that, as such, if it could be determined that a cyber attack was “the most effective and most proportionate” response, then a defensive cyber attack would be legally allowable.

In her speech tonight (19 May), Braverman will talk about how the united global response to Russia’s invasion of Ukraine has demonstrated why there is a need for a cyber security framework for nation-states. She will stress that cyber space is not lawless, argue that cyber attacks should be treated the same as physical ones, and say nation-states must lead the debate on drawing up the ground rules.

In a statement issued by her office, Braverman said: “The United Kingdom’s aim is to ensure that future frontiers evolve in a way that reflects our democratic values and interests and those of our allies.

“The law needs to be clear and well understood if it is to be part of a framework for governing international relations and to rein in irresponsible cyber behaviour. Setting out more detail on what constitutes unlawful activity by states will bring greater clarity about when certain types of robust measures are justified in response.”

Braverman’s remarks on the legality of nation-state cyber attacks may be construed as something of a departure in foreign policy terms for the UK. The government has previously shied away from making such pronouncements, and the National Cyber Security Centre (NCSC) in general declines to be drawn on the point, noting instead the UK’s stated ambition to be a “responsible” global cyber power.

Computer Weekly reached out to the NCSC for clarification but had not received a response at the time of publication.

Commenting on Braverman’s remarks, ESET global cyber security advisor Jake Moore said: “Cyber law is one of the most complex and difficult areas to manage due to how the occurrences are often unattributable to any particular country. The dynamics and of course the differences between nations can cause conflict of their own or even the ability to avoid any given situation.

“Clearly a framework to counter hostile states is vital, but the intricacies in this context remains a difficulty in its own right to agree on. It is clear that more needs to be done to combat as well as fight international cyber crime such as espionage and increasing cyber war, but waiting for a set of international rules can often leave a far greater opportunity given the time it takes for this approval,” he said.