Scenario 04: A State’s failure to assist an international organization

An international organization falls victim to cyber attacks, the impact of which could and should have been averted by the host state. The scenario explores the obligation of due diligence on the part of the host state and whether and under what circumstances the international organization may resort to countermeasures.

Keywords
Legal personality, International organisation, countermeasures

Facts
The regional headquarters (RHQ) of the international organization Z is located in State A, which is also a Member State of the organization. The status of the RHQ is governed by a host agreement between State A and organization Z. The agreement establishes, among other things, (1) a scheme of regular monthly payments by organization Z to State A in return for the provision of communications, security, and other services; and (2) a duty of State A to “render all practicable assistance to [organization Z] in the fulfilment of its functions, including […] the provision of security of communications and information systems”.

In the meantime, security researchers at a government CERT in State B, which is not a Member State of organization Z, discover a large-scale APT attack that targets several public and private institutions in various countries. After they determine that the computer network of organization Z’s RHQ in State A has also been compromised, they submit a confidential report of their findings to the CERT in that State including recommendations of specific measures to be taken.

Several days later, all RHQ computers are paralysed by data encrypting ransomware and it is later confirmed that the malware does not actually preserve the encryption key and that therefore all encrypted data has been irretrievably lost.

The fact that all RHQ staff were locked out of their devices, combined with the loss of data, means that the international organization experiences a significant disruption to its activities in the entire region. The independent confidential report is soon leaked to the press, exposing the State A as having left the organisation “at the mercy” of foreign hackers.

Aggrieved by these revelations, the organization ceases all payments to State A and issues a public statement noting that it does not intend to reinstate the payments until the State compensates it for all damage incurred by the cyber attack and provides credible reassurance that an incident of this kind will not happen in the future. The origin of the attack remains unknown.

Similar real-world incidents
1718 sanctions committee

NotPetya

WannaCry

African Union headquarters hack

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

Breach of obligations owed to international organizations
It has long been established that international organizations may possess legal personality under international law. Those that do, qualify as subjects of international law and are therefore capable of possessing international rights and duties. Although the legal personality of some organizations may pose particular problems, if a State concludes an agreement with an international organization, it clearly thereby recognizes its legal personality. It follows that the legal personality of organization Z was at least implicitly recognized by State A by virtue of the conclusion of the host agreement. There is no general rule of international law that would prohibit the interference with the cyber infrastructure of an international organization. Cyber operations against the infrastructure of an international organization located in the territory of a particular State may simultaneously infringe international legal rights of that State, which then becomes entitled to respond to the breach. However, that solution is manifestly not available in a situation where the potentially responsible party is the territorial State itself—as in the present scenario. In other words, a specific obligation owed by the State to the organization must be identified.

An obligation of this kind may arise from an international treaty between a State and an international organization. State A is indeed under the duty to “render all practicable assistance to [organization Z] in the fulfilment of its functions, including […] the provision of security of communications and information systems”, an obligation paralleled in other existing host agreements.

Firstly, the obligation of State A to provide all practicable assistance to international organization Z is an obligation of conduct and not of result. State A is thus not responsible for the fact that negative consequences had materialized in the form of the loss of data and the need to repair the attacked cyber infrastructure belonging to organization Z. However, State A was informed by the CERT in State B of the risk that malicious actors may soon seize control over the computers in the regional office. Accordingly, the State’s failure to act on the report in any way whatsoever is legally relevant. Irrespective of the factual consequences of the State’s conduct, it will be in breach of its obligation if its actual conduct does not correspond to the conduct required by the obligation.

Secondly, whether a State’s actual conduct corresponds with that required by an obligation of conduct is determined by reference to the criterion of due diligence.

Thirdly, although the extent of required conduct will vary from case to case, if a State fails to act altogether in spite of a real possibility that its inaction would adversely affect the beneficiary of the obligation, then it will clearly not have met the due diligence criterion.

Whether an obligation subject to a relative standard such as “practicability”, “feasibility”, or “reasonableness” has been complied with must be assessed on a case-by-case basis in light of all attendant circumstances.

Applied to the present scenario, the above considerations lead to a conclusion that State A did not meet the standard of due diligence against which its compliance with the obligation to render all practicable assistance is measured. As such, State A violated its obligation owed to international organization Z under the host agreement. Moreover, this violation was of a continuing character, persisting for as long as State A’s inaction inconsistent with its international obligations continued.

Countermeasures by international organizations
This section focusses on the question whether, and to what extent, international organization Z may respond to the breach of the host agreement by State A by taking measures that would otherwise be unlawful under international law. Conversely, it does not consider the related question of suspension or termination of treaty relations between State A and international organization Z on account of a supposed material breach of the host agreement.

To begin with, it follows from the fact of an international organization’s legal personality that if its rights had been infringed by another subject of international law, the organization must have the right to invoke that subject’s international responsibility. In particular, the organization may demand the cessation of the internationally wrongful act as well as reparation for the injury suffered. However, it is not universally accepted that an international organization may resort to countermeasures in order to procure such cessation and/or reparation. Those who object against such capacity on part of international organizations under the extant international law point to insufficient practice in the area. However, in the decentralized international legal order, the right to invoke the responsibility of other subjects must entail the right to resort to the permissible means of enforcement that have evolved under international law. To hold otherwise would be to deprive international organizations of the ability to effectively protect their rights and thus to nullify the legal effect of their legal personality. The view that international organizations may take countermeasures is additionally supported by the International Law Commission and several international organizations and States.

The interruption of payments owed to State A under the terms of the host agreement amounts to a clear breach of organization Z’s international obligations. In order for this conduct to be considered a countermeasure and, as such, internationally lawful, several conditions must be fulfilled.

In particular, the injured international organisation must first call upon the responsible party to fulfil its obligations of cessation and reparation, and it must notify the latter of its intention to take countermeasures, while offering to negotiate (condition 1); any countermeasures taken must comply with the principle of proportionality (condition 2); they must be, as far as possible, temporary in nature and terminate as soon as the responsible party has fulfilled its relevant obligations (condition 3); and they must not violate obligations under peremptory norms of general international law (condition 4).

In the present case, condition 1 appears not to have been met: international organization Z would have been advised to communicate its demands and intentions to State A prior to interrupting the payments required under the host agreement. Exceptionally, the injured party may dispense with the notification requirement and take “urgent countermeasures”, but this exception is limited to those measures that are necessary to preserve that entity’s rights. No such urgency seems to be substantiated under the terms of the scenario. Moreover, the UK Attorney General has recently suggested that the notification requirement may not apply in the cyber context if it entailed the exposition of “highly sensitive capabilities in defending the country”. Whatever the status of this supposed additional exception under international law, it would clearly be inapplicable to the present set of facts.

Condition 2 requires that any countermeasures taken must be commensurate with the injury suffered, taking into account the gravity of the internationally wrongful act and the rights in question. This requirement of proportionality does not imply that the response must be equivalent, reciprocal or even in-kind: “[n]on-cyber countermeasures may be used in response to an internationally wrongful act involving cyber operations, and vice versa”. In the present case, international organization Z would likely be able to make a solid case that the measures it took in response were proportionate to the injury suffered. This is because until the effects of the malicious cyber operation against it are remedied, the organization will not be able to resume its activities. Accordingly, the cessation of payments to State A for the provision of communications, security, and other services appears to be directly tied to the rights infringed and not excessive to what is needed for the vindication of those rights. As such, the measures taken by Z can be considered as compliant with the criterion of proportionality.

Condition 3 requires that countermeasures must be terminated as soon as the responsible party has complied with its cessation and reparation obligations. In this regard, the statement by international organization Z seems to closely follow the relevant legal requirements. As noted above, at that time, State A’s inaction qualified as a breach of its international obligations having a continuing character. Suppose that State A would subsequently agree to provide adequate reparation by, for example, repairing the damaged cyber infrastructure, paying appropriate compensation, and introducing effective measures to avoid the repetition of similar incidents. In that case, any countermeasures would no longer be justified and international organization Z would have to resume all its duties under the host agreement.

The described countermeasures do not violate obligations under peremptory norms (condition 4).

In conclusion, although organization Z was in principle entitled under international law to resort to countermeasures, under the circumstances of the present scenario, the cessation of payments to State A did not meet one of the necessary criteria (condition 1 above) and as such it amounted a violation of international law by the organization.

Bibliography and further reading

 * MN Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017)
 * Etc.