Scenario 23: Vaccine research and testing

__NUMBEREDHEADINGS__

A major State-run hospital serving as a virus testing and vaccine research facility falls victim to both research espionage and a two-day distributed denial of service (DDoS) attack during a pandemic. Several months of research and clinical trial data is exfiltrated to a neighbouring State. As a result of the DDoS attack, the victim State’s population cannot access information about virus testing availability and cannot obtain test results. The scenario considers attribution of the cyber operations and whether such incidents constitute a violation of sovereignty, a prohibited intervention, a use of force, or a violation of international human rights law.

Keywords
Attribution, sovereignty, peacetime cyber espionage, prohibition of intervention, use of force, international human rights law

Facts
[F1] State A and State B are suffering from a pandemic caused by a highly communicable, previously unidentified respiratory virus. Common symptoms of the virus include high fever, cough, shortness of breath, and fatigue. Because some infected persons are symptomatic and others are contagious despite appearing asymptomatic, the virus is spreading virtually unchecked. Hospitals are rapidly becoming overwhelmed. The virus’ high mortality rate, if not treated promptly, means both States desperately want to develop an effective treatment for those infected and a vaccine to protect others from becoming ill.

[F2] Over the prior decade, the relationship between States A and B has deteriorated significantly. The recent rise to power of an ultra-nationalist prime minister in State B, unrestrained by a similarly disposed parliament, has worsened the decline in relations. In the last year, State B has frequently accused State A of mistreating its large ethnic minority.

[F3] The largest State-run hospital in State A, which also serves as a vaccine research facility and the primary national virus testing facility, was recently victimized by a pair of hostile cyber operations. Eight months of vaccine research and clinical trial data was copied and exfiltrated (incident 1). Forensic investigators in State A cannot definitively rule-out the possibility that the perpetrator maintains persistent access to the hospital’s information systems. However, investigators conclude, with moderate certainty, that the integrity of the original data remains intact and unchanged. State A appears to still have full, unrestricted access to the research data in its continuing effort to develop an effective vaccine. The operation appears to have been limited to exfiltration of data and, consequently, a loss of confidentiality.

[F4] A two-day distributed denial of service (DDoS) attack left the public unable to access the hospital’s website to obtain information about testing availability and unable to view test results (incident 2).

[F5] Both publicly and through diplomatic channels, State B denies any involvement in the incidents. Despite these denials, State A cybersecurity authorities conclude with a high degree of confidence, based on forensic analysis, that State B is the most probable actor responsible for both the exfiltration of the vaccine research and the DDoS attack. The vaccine research and clinical trial data obtained from State A were exfiltrated to the Ministry of Health in State B. Moreover, the techniques used for both the data theft and the DDoS attack are identical to those employed by State B’s intelligence service in previous cyber operations conducted against State C, an ally of State A.

Examples

 * Brno University Hospital ransomware attack (2020)

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The analysis in this scenario focuses on three main issues: 1) Whether the cyber operations conducted against State A are attributable to State B; 2) Whether the exfiltration of State A’s vaccine research is an internationally wrongful act; and 3) Whether the DDoS operation against State A is an internationally wrongful act.

State organs and exercise of governmental authority
[L2] Both the cyber espionage operation and the DDoS attack are attributable to State B. State A considered the possibility that this hostile cyber operation is, in fact, a “false flag” operation perpetrated by a third State in such a way as to make it appear State B is responsible. However, in light of its increasingly strained diplomatic relationship with State B, the fact that the vaccine research was exfiltrated to the Ministry of Health in State B, and because the techniques employed to conduct both operations comport with those previously used by State B’s intelligence service against State C, State A has a high degree of confidence State B is responsible. State B’s intelligence service is undeniably functioning as part of State B’s central government and thus a State organ the conduct of which is attributable to State B under Article 4 of the International Law Commission’s Draft Articles on the Responsibility of States for Internationally Wrongful Acts. Consequently, the balance of the analysis of this scenario considers whether State B breached international law either by exfiltrating vaccine research data or by conducting the DDoS operation against the hospital in its capacity as a vaccine research site and as State A’s principal virus testing facility.

Contributions

 * Scenario by: Jeremy K. Davis
 * Analysis by: Jeremy K. Davis
 * Reviewed by: ???, ???, ???