Two recent Russian malicious cyber operations in Latvia targeted the government and a social media platform. But, legally, those instances do not rise to the level of a “cyberattack” as defined by the Tallinn Manual 2.0. Despite not satisfying the elements of a cyberattack per se, the Kremlin is nonetheless using disinformation campaigns and other cyber activity tactics to create instability abroad, and international rules on cyberwarfare and cyberattacks must be reevaluated to include these new forms of warfare. The current terminology is inadequate: “cyber activity” and “cyber operation,” which have been used to define such attacks, suggest Russia’s actions are not serious or harmful. Instead, a new term like “soft power cyberattacks” should be coined to reflect the changes in cyberwarfare and provide governments appropriate recourse.
Malicious Cyber Operations Conducted by Russia in Latvia
On the eve of Latvia’s parliamentary elections in fall 2018, Russia initiated malicious cyber operations on several Latvian government institutions. Latvia’s state security service, also known as the Constitution Protection Bureau, announced Latvia had been repeatedly targeted through cyber operations by the Russian Federation during and after the October 2018 elections. They revealed that Russia’s GRU military intelligence service conducted the attack. The attacks targeted government institutions, including the foreign and defense sectors, for the purpose of espionage. Especially frightening was their main target, the Central Election Commission, which was conducting the parliamentary election. Though the attack did not successfully alter the election results, the fact that Russia attempted such an illegal act created more dissidence and distrust between governments of Latvia and Russia.
While the Russian cyber operations in Latvia should be condemned and Russia should take responsibility for its actions, according to international law, the October 2018 attack does not rise to the legal definition of a cyberattack or cyberwarfare because there was no ongoing armed conflict between Latvia and Russia.
The Tallinn Manual 2.0, published by the North Atlantic Treaty Organization (NATO) and international law experts, is the current most comprehensive, but non-binding, source on international law and cyber operations. According to the manual, “A cyberattack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects,” during an armed conflict. However, under the Tallinn Manual, cyber espionage—or any act that is used “to gather, or attempt to gather information”—is considered legal during peacetime.
Still, news outlets such as Reuters, Voice of America, and LSM all referred to the 2018 incident as a “cyberattack.” No outlet discussed whether the actions actually constituted an attack under international law or the Tallinn Manual. The term “cyberattack” has become a generic term used around the world, and is arguably applicable to any cyber activity targeting a foreign government or entity. While there certainly are cyber operations occurring around the world every day, it is unlikely that all of them rise to the level of a cyberattack as defined in the Tallinn Manual. That does not mean other malicious cyber operations are not still legitimate problems, but they cannot technically fall under the international law definition of a cyberattack if they do not occur during an ongoing armed conflict or war.
There was no armed conflict with Russia during the 2018 Latvian parliamentary elections. Latvia also did not suffer any injuries to people or property during Russia’s cyber operation, leaving it difficult to claim Russia’s actions constituted a cyberattack per se. The Tallinn Manual specifically states nonviolent operations, like cyber espionage, do not qualify as attacks. In the last few decades in Eastern Europe, only the 2008 conflict between Georgia and Russia rose to the level of cyberwarfare because there was an ongoing armed conflict.
Although Russia’s malicious cyber operation targeting Latvia’s defense and foreign ministry websites cannot be considered a cyberattack, it could be considered a violation of state sovereignty through cyber operations. According to the Tallinn Manual, “A State must not conduct cyber operations that violate the sovereignty of another State.”A violation of sovereignty occurs “when one State’s cyber operation interferes with or usurps the inherently governmental functions of another State.” Even if there is no “physical damage, injury, or loss of functionality,” interference that inhibits a target state from performing state functions constitutes a violation of sovereignty. Some examples of a violation of state sovereignty include interfering with social services, elections, collecting taxes, diplomacy, and national defense activities. Hacking into Latvian government institutions such as the defense department and foreign ministry, are both serious crimes and arguably violate the country’s sovereignty.
Latvian Social Media Site Hack
The Russian government has become creative when it comes to using other forms of cyber operations and disinformation campaigns. The Kremlin has its own digital army of robots ready to spread propaganda throughout the Baltic states. It also has the tools to hack anything from a foreign government agency to a social media site. While hacking a Latvian social media site does not fit the definition of cyberattack, such actions can still have a significant impact on society and are cause for concern.
In addition to the malicious cyber operations against the Latvian government institutions prior to Latvia’s 2018 parliamentary elections, pro-Russia hackers targeted social media site “Draugiem.lv.” The hackers replaced the front page of the Facebook-like site with a Russian flag and message saying “Fellow Latvians, this concerns you. The Russian border has no limits!” The page also played the Russian national anthem and included pictures of President Vladimir Putin and the Russian military. While the Latvian government claims the hack did not affect the voting process or the election results, the incident demonstrates Russia’s desire to meddle in Latvian elections and affairs. Latvian Foreign Minister Edgars Rinkēvičs reassured citizens afterwards saying that Latvia is “quite well prepared to take [on] any possible interference in [its] elections.” Others reflected on the event differently, arguing it demonstrated Russia’s continued interest in undermining Latvia.
The 2018 Draugiem.lv hack clearly does not rise to the level of a cyberattack, but it did create unrest within Latvia, and fits the definition of a “low intensity cyberattack.” It disrupted a Latvian computer system and network and added to Latvia’s growing distrust of Russia. A “low intensity cyberattack” is a case where a cyber operation falls just short of a cyberattack as defined by the Tallinn Manual. Cases like this are occurring with greater frequency around the world not just in Latvia, and the international community needs to address the issue.
Calling for International Response
The unfortunate reality is because these cyber operations do not fit the definition of a cyberattack, they are not taken seriously by the international community, and countries incurring attacks cannot respond or retaliate. Low intensity cyberattacks are actions that “alter, disrupt, deceive, degrade, or destroy computer systems or networks resulting in destruction and coercion insufficient to amount to a use of force or intervention under international law.” They are very common, but do not rise to the level of a cyberattack. Some scholars argue such attacks are still dangerous and nations should have the ability to respond legally with countermeasures. If international institutions adopted new rules related to malicious cyber operations, Latvia—and other states—would have the ability to respond in future similar situations.
Two Recourse Options
While other options exist, two possible forms of recourse for countries on the receiving end of low-intensity cyberattacks are 1) bringing international lawsuits, and 2) (illegal) retaliation. Following the 2018 parliamentary election malicious cyber operations, the government of Latvia or individual citizens could bring a case before the European Court of Human Rights (ECtHR) against Russia. Alternatively, although not legal, Latvia could engage in an act of reprisal.
In the first option, the Latvian government or private citizens could sue the Russian Federation if they can show how they have been harmed by the malicious cyber operations, and what kind of damages they deserve as a result. This recourse option would take time because in order to bring a convincing case, Latvia would need to collect evidence showing Russia’s repeated aggression in the form of cyber operations in Latvia. This might take years; however, it would be a viable option for both parties to have their day in court. Furthermore, Russia has a good track record of paying the ECtHR fines and judgments against it when other countries and individuals have brought lawsuits in other cases. One problem with this option is it would not deter Russia from doing the same thing again in the future. Although Russia typically pays the judgments, there would be nothing to stop Russia from committing more malicious cyber operations.
The second option is using the law of reprisal. However, if Latvia decided to pursue a tit-for-tat method, it would have to accept the consequences, given this is generally forbidden under international law. The classic law of reprisal definition in international law is taken from The Naulilaa Case (Portugal v. Germany) which states, “Reprisals are an act of self-help on the part of the injured states, responding after an unsatisfied demand to an act contrary to international law on the part of the offending State. . . . They would be illegal if a previous act contrary to international law had not furnished the reason for them. They aim to impose on the offending State reparation for the offense or the return to legality in avoidance of new offenses.” This means countries can legally respond in some circumstances, but they are not supposed to engage in revenge retaliation. Instead, reprisals should be used as a last resort when all other legal options have been exhausted. If a reprisal is conducted, then the reprisal action must be proportionate. Generally, reprisals are supposed to deter future aggression. In the case of Latvia, a proportionate reprisal action against Russia might be conducting a cyber operation or hack on a Russian government institution website. The Latvian government could not, however, decide to instead bomb a Russian city because there was no loss of life during the Latvian malicious cyber operations. Therefore, killing innocent lives would not be a proportionate action. The benefit to this strategy is that it could deter future misconduct by Russia. The problem is that it is illegal, and this may provoke Russia into committing more serious crimes, and result in escalating tensions.
While many of Russia’s malicious cyber operations do not rise to the level of a cyberattack as defined by the Tallinn Manual, the international community should be concerned with ongoing cyber aggression and targeted disinformation campaigns, particularly as Russia also has a proven track record of interfering in elections around the world. In the Baltic region, the security question already looms large in a traditional sense: Russia repeatedly enters Latvia’s airspace without permission, or crosses into its international waters. Sometimes, it does both at once. Though there is no current armed conflict, Russia’s low-intensity cyberattacks demand some responsive action.
Defining new terminology for soft power cyberattacks at an international legal level is key to addressing such cyber operations. The current terms of cyberattack and cyberwarfare are only applicable in actual armed conflicts, but when cyber meddling breaches government agencies, countries must have the means to legally retaliate against the violation of sovereignty. Currently, governments, particularly of more vulnerable countries, are unable to effectively respond to such incursions, which allows perpetrator countries to continue illegal actions and attacks without legal consequence. Relying on the terms “cyber operation” or “cyber activity” diminishes the severity of the attack. Hacking into government ministries and electoral commissions are serious issues and should be treated as crimes. Furthermore, online Russian bots spreading lies and disinformation, as well as hacking into social media platforms, should be viewed as a soft power cyberattack. In 2020, new terms and rules on cyberattacks conducted externally to armed conflicts must be coined. Currently, there is no way to appropriately describe the crimes being committed in cyberspace. The Kremlin has learned to weaponize the internet, and the international community needs the proper tools to respond. As a result, the Tallinn Manual experts and other members of the international community need to call for change and adopt new rules that reflect the changing landscape of cyberwarfare.
The views expressed in this article are those of the author alone and do not necessarily reflect the position of the Foreign Policy Research Institute, a non-partisan organization that seeks to publish well-argued, policy-oriented articles on American foreign policy and national security priorities.
 Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, Rule 92 (Michael N. Schmitt ed., 2017).
 See William E. Pomeranz, Uneasy Partners: Russia and the European Court of Human Rights, 19 Human Rights Brief 17, 17 (2012); Maria Issaeva et. al., Enforcement of the Judgments of the European Court of Human Rights in Russia: Recent Developments and Current Challenges, 8 SUR International Journal on Human Rights 67, 70 (2011).; and Alexei, Trochev, All Appeals Lead to Strasbourg? Unpacking the Impact of the European Court of Human Rights on Russia, 17 Demokratizatsiya 145, 149 (2009).
 The Naulilaa Case, 8 Trib. Arb. Mixtes at 422-25.
 G.A. Res. 2625 (XXV), at 122 (Oct. 24, 1970).