Scenario 08: Certificate authority hack

The scenario analyses a cyber operation against a certificate authority that provides services to private and public entities, with indications that the operation was commissioned or exploited by a State. What are the relevant human rights obligations in cyberspace? What other international obligations may have been breached?

Keywords
Attribution, sovereignty, prohibition of intervention, mass surveillance, international human rights law

Facts
[F1] A company based in State A provides certificate authority services, including for government departments and agencies of State A. It has now been hacked by intruders, who assume control of the company’s certificate-issuing servers and, for several weeks, proceed to issue fraudulent certificates for private sector services, such as email or VoIP based telephony, but also for services related to the company register in State A (incident 1). Indicators of compromise (IoCs) point to the use of proxies (an unaffiliated group) in incident 1.

[F2] The fraudulent certificates are later used in a massive man-in-the-middle attack to intercept free email communication of several hundreds of thousands of individuals in State A (incident 2). Available evidence shows that State B’s intelligence service ordered and paid the above-mentioned group to issue some of the fraudulent certificates, including to the company register in State A. State B's intelligence service then used the certificates in conducting its mass surveillance operation.

[F3] Eventually, all of the certificates issued by the company are blacklisted by the major internet browsers, the attack is contained, and the company files for bankruptcy.

[F4] State A and State B are State parties to the International Covenant on Civil and Political Rights (ICCPR).

Examples

 * DigiNotar (2011)

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The legal analysis first briefly deals with the attribution of incidents 1 and 2 to State B, then continues with the breach of State B’s obligations to respect the sovereignty of other States, prohibition of intervention, and the obligations arising from international human rights law.

Non-State actors
[L2] In the present scenario, it is crucial that State B ordered and paid the group to issue some of the fraudulent certificates in incident 1. The fact of accepting this order confirms the existence of a factually subordinate relationship at the relevant time, and thus the conduct of the non-State group is attributable to State B under the “instruction” standard of Article 8 of ILC’s Articles on State Responsibility.

State organs
[L3] The intelligence service of State B is an organ of that State; therefore, its conduct is attributable to State B. In the present scenario, this covers the mass interception of emails in State A (incident 2).

Obligation to respect the sovereignty of other States
[L4] There is no evidence that options 1 or 2 would be of relevance in this scenario.

[L5] With respect to option 3, the fact that the company’s certificates were blacklisted implies that the services using the certificates had to change to a different certificate authority. In the meantime, the trust in these services could not be guaranteed. Some websites using the blacklisted certificates would function, but browsers would issue security alerts, leading to economic losses for the respective businesses, as customers would be afraid to continue to their websites. Other services had lost functionality until they installed new certificates – especially online payment systems and mobile banking apps would stop working completely.

[L6] The precise threshold of the loss of functionality is difficult to determine. If the loss is only temporary, does not lead to significant disruptions, and can be easily fixed, then it would likely not qualify. However, assuming that the threshold was reached, State B is responsible to the extent that it had ordered the non-State actor to issue some of the fraudulent certificates (incident 1).

[L7] As for option 4, some of the affected systems were providing secure access to State A’s company register. Running this register is State A’s inherently governmental function, and if the function could not be provided due to the interference by State B (incident 1), then State B’s conduct had amounted to a violation of State A’s sovereignty.

[L8] Option 5, the usurpation of inherently governmental functions by State B, poses an interesting problem: was State B exercising its law enforcement functions in State A’s territory by the interception of emails of several hundred thousands of people in State A’s territory (incident 2)? If its intelligence service was collecting evidence for criminal proceedings abroad without the consent of State A, then it was exercising law enforcement functions and hence violating State A’s sovereignty; if it was merely engaging in cyber espionage for national security purposes, then according to this option, it was not usurping inherently governmental functions of State A.

[L9] On the basis of the foregoing, it can be summarized that in the context of incident 1, State B violated the sovereignty of State A insofar the actions of the non-state actor can be attributed to State B. As for incident 2, the answer depends on the actual goal of State B’s conduct.

Prohibition of intervention
[L10] In incident 1, State B interfered with the internal affairs of State A by having a non-State actor issue fraudulent certificates, thereby undermining the security of online government services. However, proving the coercive nature of the act can be difficult. It depends on the ultimate goal of State B, and whether the act can be causally linked to the goal. If State B merely wanted to cause nuisance and economic loss to State A without any particular goal, the act does not qualify as prohibited intervention (even though it does qualify as a violation of sovereignty: see above).

[L11] In incident 2, the analysis again depends on the goal of State B. If State B wanted to engage in cyber espionage against the Internet users in State A’s territory, or even if it wanted to conduct law enforcement activities in State A’s territory, without any intent to influence State A’s decisions on its internal or external affairs, the prohibition of intervention would not have been breached.

Obligations arising from international human rights law
[L12] (1) Does the obligation of State B to respect the right to privacy pursuant to Article 17 ICCPR apply to its cyber operations against individuals in State A? The owners and presumably also the content of the intercepted email accounts were located in State A. State B, whose State organ commissioned the preparation of the interception and then executed it itself, would be obligated to respect the human rights of those natural persons if they were under its jurisdiction or control.

[L13] According to one line of thought, if an organ of State B can, in the exercise of its jurisdiction, secretly interfere with the human rights of individuals anywhere in the world without the knowledge of the territorial State (in this case, State A), then it is logically State B which must make sure that this interference is conducted in accordance with the requirements of the ICCPR.

[L14] The counterargument is that there is a lack of consensus whether interfering with cyber infrastructure abroad can amount to exerting effective control. In the present state of the law, State B therefore cannot be held responsible for violating human rights of the individuals concerned.

[L15] (2) Assuming that the ICCPR applies, a surreptitious interception of emails between individuals is an interference with their right to privacy pursuant to Article 17 ICCPR (specifically, interference with their correspondence). Depending on the goal of State B, the interception might also implicate Article 19 ICCPR (right to freedom of expression).

[L16] (3) The scenario does not contain any information about State B’s domestic law. If there is a domestic law regulating extraterritorial surveillance or criminal investigation, which is compliant with the requirements of the international obligation (legality, legitimacy of the objective, necessity to achieve the goal, and proportionality), and the email interception is done in accordance with that law, then State B’s activity would be in accordance with the ICCPR.

[L17] With regard to the number of affected individuals (“several hundreds of thousands”), it should be noted that the Court of Justice of the European Union (CJEU) ruled that it would be extremely difficult for bulk online surveillance to be compatible with the EUCFR; however, as of October 2018, the case-law of the ECtHR seems to be developing in a less strict direction. Although these rulings do not directly apply to States not members of the relevant treaty regimes, they may nonetheless carry persuasive value for the further development of the law in this area.

[L18] To sum up the three steps of the test, it cannot be concluded that the interception of emails by itself amounts to a violation of international human rights law. Although such conduct would most certainly interfere with several human rights of the affected individuals, its compatibility with IHRL would fall to be determined by the justification proffered by the acting State.

[L19] The positive obligation of State A (to take all reasonable measures to protect the human rights of persons in its territory who have been targeted by State B's operation) encompasses protecting the persons from further abuse of their rights, taking appropriate measures against the perpetrators of the abuse, but also measures to prevent an abuse if there are grounds to believe that such abuse will occur. In the situation at hand, the obligation would likely include the duty of State A to rapidly investigate incident 1 and to prevent or reduce the impact of incident 2 by immediately informing the international cyber security community about the fraudulent certificates.

Checklist

 * Attribution: Did State B provide instructions or exercise direction or control over the non-State actor?
 * Attribution: Is an intelligence agency a State organ of State B?
 * Sovereignty: Did State B’s operation cause a loss of functionality of another State’s cyber infrastructure?
 * Sovereignty: Did State B usurp State A’s inherently governmental functions by its cyber operation in State A’s territory?
 * Prohibited intervention: Did State B try to coerce State A by its cyber operation?
 * International human rights law: Does the ICCPR apply to State B’s cyber operation abroad?
 * International human rights law: Which human rights are implicated by State B’s cyber operation?
 * International human rights law: Is State B’s cyber operation justified from the perspective of international human rights law?

Bibliography and further reading

 * James Crawford, Brownlie's Principles of Public International Law (OUP 2012).
 * Gary P. Corn and Robert Taylor, ‘Sovereignty in the Age of Cyber’ (2017) 111 AJIL Unbound 207.
 * Wolff Heintschel von Heinegg, 'Territorial Sovereignty and Neutrality in Cyberspace' (2013) 89 Int’l L. Stud. 123.
 * Kubo Mačák, ‘Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors’ (2016) 21 JCSL 405.
 * Marko Milanovic, ‘Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age’ (2015) 56/1 HarvIntlLJ 81.
 * Michael N Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017).
 * Michael N Schmitt, 'Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law' (2018) 19 ChiJIntlL 30.
 * Michael N Schmitt and Liis Vihul, ‘Respect for Sovereignty in Cyberspace’ (2017) 95 Tex L Rev. 1639.
 * Sean Watts & Theodore Richard, 'Baseline Territorial Sovereignty and Cyberspace' (2018) 22 Lewis & Clark L. Rev. 771.
 * Katja Ziegler, “Domaine Réservé”, in Rudiger Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008).

Contributions

 * Scenario by: Taťána Jančárková & Tomáš Minárik
 * Analysis by: Tomáš Minárik
 * Reviewed by: Russell Buchan; Jakub Harašta; Tomáš Morochovič