Main Page



 Welcome to the Cyber Law Toolkit, an interactive online resource on international law and cyber operations.

<!-- REMOVED OLD INCIDENTS In July 2018, Singapore’s health system (SingHealth) was infiltrated by malware and the personal particulars of about 1.5 million people were stolen. Among the victims of the hack were some prominent Singaporean politicians, including the prime minister. Only data containing personal information of the patients like name, date of birth, address, gender, etc was taken. However, the records were neither deleted nor edited. According to the statement of the Health Minister Gan Kim Yong, this attack was “unprecedented”. The professionalism with which the attack was conducted and the fact that records of politicians were affected made the Cyber Security Agency of Singapore (CSA) and the government suspect that another State may have been involved. Yet, no specific allegations have been made in this regard. Although none of the existing scenarios analyses a cyber incident involving patient records, the cyber operations against SingHealth are related to scenarios 01 and 02, which consider whether exfiltration of data amounts to a violation of State sovereignty. On 27 July 2018, the New York Times reported a statement from the US Department of Homeland Security (DHS) that a 2017 cyber campaign by Russia had allegedly compromised the networks of several electrical utility companies in the US. The DHS linked the attack to the Russian group known as Dragonfly or Energetic Bear. The DHS stated that the attacks put the infiltrators in a position where they were capable of causing blackouts on the US territory. The department cited "hundreds of victims", greater than previously acknowledged. The statement was preceded by a joint alert issued by the DHS and the Federal Bureau of Investigation (FBI) in March 2018, warning network defenders of Russian threats to US critical infrastructure sectors including energy, water, and aviation. Scenario 03 specifically considers and assesses the impact of one State conducting a cyber operation against the electrical grid of another State. <!-- INCIDENT 4 Prior to the US midterm elections in 2018, the US Cyber Command implemented a new preventive strategy in order to protect the elections from foreign interference. According to the media reports, the strategy was aimed at preventing Russian individuals from engaging in concerted disinformation campaigns. The targeted individuals were informed that their work and online conduct would be surveilled by the US authorities. However, the US officials did not disclose the number of individuals they had contacted nor the method of transferring the warning to the operators concerned. Scenario 01 of the Toolkit analyses whether specific forms of electoral interference abroad violate rules of international law and scenario 06 considers whether the victim State may engage in countermeasures against an enabling State. <!-- INCIDENT 5 In early May 2019, hostilities flared up again in the context of the armed conflict between Israel and Palestine. According to news reports, hundreds of rockets were fired on Israel, while the Israel Defense Forces (IDF) answered with artillery and airstrikes. Remarkably, the Israeli response included also a kinetic attack allegedly aimed at countering a hostile cyber operation conducted by Hamas. In particular, the IDF announced on Twitter that it had “thwarted an attempted Hamas cyber offensive” and subsequently conducted an air strike against the Hamas Cyber Headquarters. The announcement has sparked a debate whether this operation sets a legal precedent from the perspective of international law. Within the Toolkit, Scenario 03 considers when a cyber operation may qualify as a use of force under international law and Scenario 12 analyses aspects of the law of targeting with respect to cyber operations. <!-- INCIDENT 6 In September 2019, Huawei released a media statement accusing the US government of “disrupting” Huawei’s business operations with “every tool at its disposal” including the launch of “cyber attacks to infiltrate Huawei's intranet and internal information systems”. The accusation came three days after a Wall Street Journal article which had reported about the US Department of Justice investigations into Huawei for alleged technology theft. In the Toolkit, Scenario 09 assesses the lawfulness of economic cyber espionage under international law. In addition, Scenario 05 considers the legal limits to the exercise of law enforcement by one State in response to malicious cyber operations from another. <!-- INCIDENT 7 In October 2019, the UK’s National Cyber Security Centre (NCSC) and the US National Security Agency (NSA) issued a report on the activities of the hacker group Turla, suspected to be based in Russia. The report claimed that two malicious tools – previously identified as being used by Turla – were Iranian in origin. Allegedly, Turla was now using these tools independently to exploit them for its own intelligence aims. While the report acknowledged the difficulties of attributing cyber operations, it claimed that Turla had had access to Iranian tools and thus had most likely compromised Iran’s operational as well as command-and-control infrastructure. The tools have allegedly been used for espionage against foreign governments, most likely in the Middle East. Within the Toolkit, scenario 02 considers the legality of cyber espionage against government departments and scenario 07 considers the leak of State-developed hacking tools and their subsequent repurposing by malicious actors. <!-- INCIDENT 8 On 20 June 2019, the US Cyber Command launched multiple cyber attacks disabling computer systems that controlled Iran’s rocket launchers and wiping out a critical database of Iran’s Islamic Revolutionary Guard Corps. The attacks were reportedly a direct response to earlier attacks against oil tankers in the Persian Gulf and the downing of an American surveillance drone after it had allegedly entered Iran’s airspace. Iran has denied all responsibility for the tanker attacks. The cyber attacks were conducted the same day that President Trump called off a military strike against Iran and were reportedly intended to remain below the threshold of armed conflict. The Toolkit considers whether specific cyber operations amount to uses of force in scenario 03 and scenario 14. Moreover, scenario 13 examines when cyber operations may trigger the application of international humanitarian law. <!-- INCIDENT 9 On 29 January 2020, The New Humanitarian reported that dozens of servers were “compromised” at the United Nations offices in Geneva and Vienna. The attack dated back to July 2019 and affected staff records, health insurance, and commercial contract data. According to an unnamed UN official cited in an Associated Press report on the same day, the level of sophistication was so high that it was possible a State-backed actor might have been behind it. Within the Toolkit, Scenario 04 specifically considers a hypothetical situation in which an international organization falls victim to cyber attacks, the impact of which could and should have been averted by the host State. <!-- INCIDENT 10 On 30 July 2020, the Council of the European Union decided to impose restrictive measures against six individuals and three entities considered to be responsible for or involved in various hostile cyber operations. These included the attempted hack of the Organization for the Prohibition of Chemical Weapons (OPCW) and the WannaCry and NotPetya incidents. The sanctions imposed included a travel ban and an asset freeze. In addition, EU persons and entities were prohibited from making funds available to those listed. This was the first time the EU has imposed restrictive measures of this kind. Within the Toolkit, Scenario 04 specifically considers a hypothetical situation in which an international organization falls victim to cyber attacks, and Scenario 17 discusses the legality of targeted restrictive measures of this kind from the perspective of international law.