Scenario 02: Cyber espionage against government departments

A military unit of State B conducts a cyber espionage operation against State A’s Ministry of Foreign Affairs and its subordinate organizations. The data obtained in this operation is later published on the internet by State B. The analysis considers whether State B’s operation violated sovereignty, the prohibition of intervention, and diplomatic and consular law. What measures, if any, can the victim State lawfully take in response?

Keywords
Attribution, peacetime cyber espionage, diplomatic and consular law, prohibition of intervention, sovereignty, privacy

Facts
[F1] State A discovers that an email server and several other servers belonging to its Ministry of Foreign Affairs (MFA) have been infiltrated. (The MFA system is a closed system located in the territory of State A, with missions staff using VPN connection to access it.) Initially, the attackers are not identified. Investigation shows that the attackers gained access to the email server by obtaining passwords of several consular officers at State A’s missions abroad through spear phishing and fake log-on websites (incident 1).

[F2] After gaining access, the intruders escalated account privileges and moved laterally through the network, which includes servers located both within State A's territory and on diplomatic and consular premises abroad. Within a few days, they gained access to additional MFA network servers and services provided in various countries abroad. They had access to data of various MFA personnel including senior officials for several months (incident 2).

[F3] A large amount (over 10 GB) of unclassified data on MFA servers was exfiltrated, even though it is not immediately clear what precise data was affected by the incident (incident 3). No data was destroyed or encrypted and no MFA services were affected during the attack.

[F4] Nobody claims responsibility for the attack immediately after the MFA's discovery of the incident and publication of the fact that it has occurred. However, a few days later, emails, procurement documents, and internal memos belonging to the MFA of State A are published on the internet (incident 4).

[F5] Multiple evidence points to State B:
 * Technical investigation revealed the malware used by attackers in this case. The same malicious code was employed in the past during multiple campaigns by an entity affiliated with a military unit of State B. One of those campaigns was targeted against State C’s MFA.
 * Earlier on, head of an allied intelligence service in State C had publicly accused State B of a cyber espionage campaign conducted by the state military unit against State C’s MFA.
 * The attackers used tactics, techniques and procedures (TTPs) very similar to those observed in other attacks publicly attributed to State B by multiple countries including State A allies. Mimicking TTPs is much more difficult than tampering with other technical elements.
 * Judging by the nature and content of the compromised data and by persons who were apparently of particular interest to the attackers, State A cybersecurity authority indicated State B as a logical and the most probable perpetrator of the attack against the MFA.
 * State A intelligence service sources confirmed that State B institutions possessed information that was based on State A MFA’s internal data that was not in the public domain.

[F6] Both State A and State B are parties to the Vienna Convention on Diplomatic Relations (VCDR) and the Vienna Convention on Consular Relations (VCCR).

Examples

 * SuperMicro supply chain breach (since 2010)
 * Office of Personnel Management data breach (2015)
 * APT-29 attacks on ministries (2016-2017)
 * Chinese infiltration into EU parliamentary proceedings (2018)
 * SolarWinds (2020)

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The legal analysis focuses on a number of relevant international legal rules, including the obligation to respect the sovereignty of other States, the prohibition of intervention, inviolability under diplomatic law and privacy rights.

Attribution
[L2] The military unit of State B qualifies as an organ of that State. As such, its relevant conduct is directly attributable to State B. The following analysis proceeds on the assumption that all activities described in the scenario (incidents 1–4) were conducted by the said State B’s military unit and are therefore attributable to it.

Diplomatic and consular law
[L3] In incident 1, by gaining access to the official email accounts of several consular officers of State A, State B ran afoul of the inviolability of official correspondence under diplomatic and consular law. The lateral movement (incident 2) and exfiltration of data (incident 3) are just further steps in the illegal activity of State B, at least to the extent that the hacked accounts and servers contained data pertaining to State A’s diplomatic missions and consular posts, irrespective of their location. This is because international law grants the inviolability of any official correspondence related to the missions and its functions.

[L4] Incident 4, wherein the data was published on the internet, raises the question whether the published materials are still protected by international law under diplomatic and consular law. This issue is unsettled in the present state of the law. One view, endorsed by a majority of the experts drafting the Tallinn Manual, is that inviolability no longer applies to data that has been made public, as it is “not confidential as a matter of fact”. By contrast, others believe that the duty to respect the inviolability of the materials in question continues to apply in such cases. The primary reason for this view is that the duty of inviolability covers the protected materials “wherever they may be”, which therefore includes even the public domain.

[L5] Nonetheless, there may be aspects of the right to privacy in the context of international human rights law which are violated by the publication of the consular officers' and other MFA personnel's personal details and additional information associated with their emails.

Sovereignty
[L6] Whether State A's sovereignty was violated in incidents 1–3 depends on whether the espionage operation was fully conducted from outside of State A’s territory, or whether a part of it was conducted by operators physically located in State A’s territory. In the latter case, the operation could be considered a violation of sovereignty, and hence State B’s breach of its corresponding international obligation (option 1 above). As for a possible interference with data or services that are necessary for the exercise of "inherently governmental functions" (option 4 above), the data was merely copied by the adversary, not destroyed, deleted or modified, and the services were kept working during the espionage operation; hence the operation did not impair the exercise of the functions by State A.

[L7] Taken separately, the publication of the acquired data (incident 4) would not violate the sovereignty of State A (however, if the publication was done in order to coerce State A, it might be a prohibited intervention - see below). Had the published information been classified in State A, then the publication is likely illegal according to State A’s domestic law; State A can also be a party to international agreements which regulate the transfer of its classified information to third parties, which may create obligations for third States with regard to this information.

Prohibition of intervention
[L8] In the present scenario, prohibited intervention could also be a relevant qualification. The incidents encroach on State A’s external affairs which are the sole prerogative of State A. However, incidents 1–3 (infiltration into State A systems and exfiltration of data) do not contain the element of coercion, because they are conducted merely with the aim to gather information, which does not compel State A to adapt the conduct of its external affairs.

[L9] As for incident 4 (publication of the data), if it can be attributed to State B, it is coercive in the sense that it has the potential to cause State A to adapt its external (and internal) affairs based on the published information and to contain the relevant political damage. It may be harder for State A to ascertain the intent of State B, which might have had no particular outcome in mind, apart from causing mischief. This might also pose an issue for establishing the causal nexus between State B’s activity and the resulting reaction by State A: the causality might not be deemed direct enough.

Espionage
[L10] As this overview demonstrates, the mere characterization of a cyber operation as amounting to cyber espionage is not conclusive as to the question of its lawfulness under international law. Reference must be had to specific rules of international law, which may be breached by the operation in question in its specific circumstances (see especially Sovereignty and Prohibited intervention above).

[L11] It may be noted that there is a view that acts of espionage represent a customary exception to the relevant prohibitions. However, this interpretation would amount to the establishment of a novel circumstance precluding wrongfulness, for which there is no evidence in international law. Accordingly, the lawfulness of incidents 1–4 therefore must be assessed with reference to other applicable international legal rules.

Checklist

 * Do the affected materials come under the duty of inviolability of documents and archives of diplomatic missions and consular posts?
 * Do they implicate the right to privacy of affected personnel?
 * Does the exfiltration and publication of data violate the sovereignty of the victim State?
 * Does the exfiltration and publication of data amount to a prohibited intervention?
 * Is the fact that part of the operation is peacetime cyber espionage an important circumstance for the il/legality of the operation? If so, to what extent?

Bibliography and further reading

 * Ashley Deeks, 'An International Legal Framework for Surveillance' (2015) 55 VA.J.INT’LL. 29.
 * Gary P. Corn and Robert Taylor, ‘Sovereignty in the Age of Cyber’ (2017) 111 AJIL Unbound 20.
 * James Crawford, Brownlie's Principles of Public International Law (OUP 2012).
 * Wolff Heintschel von Heinegg, 'Territorial Sovereignty and Neutrality in Cyberspace' (2013) 89 Int’l L. Stud. 123.
 * Michael N Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017).
 * Michael N Schmitt, 'Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law' (2018) 19 ChiJIntlL 30.
 * Michael N Schmitt and Liis Vihul, ‘Respect for Sovereignty in Cyberspace’ (2017) 95 Tex L Rev. 1639.
 * Sean Watts & Theodore Richard, 'Baseline Territorial Sovereignty and Cyberspace' (2018) 22 Lewis & Clark L. Rev. 771.
 * Katja Ziegler, “Domaine Réservé”, in Rudiger Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008).

Contributions

 * Scenario by: Taťána Jančárková & Tomáš Minárik
 * Analysis by: Tomáš Minárik
 * Reviewed by: Deborah Housen-Couriel; Kadri Kaska; Petr Novotný