Countries that conduct and sponsor “hostile” cyber activity, including attempts to influence foreign elections, cannot be allowed to avoid responsibility by hiding behind “proxy” groups, the Attorney General has said.
Jeremy Wright said the UK had the right under international law to carry out unannounced retaliation against those behind cyber attacks, saying it would continue to publicly name and shame those responsible.
Mr Wright said attempts to bring down critical infrastructure such as nuclear reactors and air traffic control towers through online attacks should be treated under international law in the same way as if they were targeted in bombing raids.
Cyber attacks against critical infrastructure which caused or threatened “death and destruction” equivalent to an armed attack would result in self-defence actions, he added, saying defensive measures did not have to be “symmetrical” to the threat.
The major speech at the Chatham House foreign affairs think tank on Wednesday set out on the record for the first time the Government’s position on applying international law to cyberspace.
Mr Wright said there was an established principle that countries should be free to choose their own “political, social economic and cultural system”.
He added: “The practical applications of the principle in this context would be the use by a hostile state of cyber operations to manipulate the electoral system to alter the results of an election in another state, intervention in the fundamental operation of parliament, or in the stability of our financial system.
“Such acts must surely be a breach of the prohibition on intervention in the domestic affairs of states.
“A breach of this principle of non-intervention provides victim states with the ability to take action in response that would otherwise be considered unlawful, but which is permissible if it is aimed at returning relations between a hostile state and the victim state to one of lawfulness and bringing an end to the prior unlawful act.”
The Government’s name and shame approach has already seen North Korean-linked hackers blamed for the WannaCry ransomware attack which hit NHS computers last year.
In February, the Government blamed Russia for the June 2017 NotPetya attack.
Russia was also blamed for the hack of Democratic National Committee emails in the run-up to the 2016 US presidential elections.
Mr Wright added: “International law is clear: states cannot escape accountability under the law simply by the involvement of such proxy actors, acting under their direction and control.
“But the challenge, as ever, is not simply about the law – as with other forms of hostile activity there are technical, political and diplomatic considerations in publicly attributing hostile cyber activity to a state in addition to whether the legal test is met.”
He said the UK was not always “legally obliged” to warn countries that it was retaliating against a cyber attack, if it would “expose highly sensitive capabilities in defending our country in the cyber arena”.