Scenario 02: Cyber espionage against government departments

A military unit of State B conducts a cyber espionage operation against State A’s Ministry of Foreign Affairs and its subordinate organizations. The data obtained in this operation is later published on the Internet.

The analysis considers whether State B’s operation violated diplomatic and consular law, sovereignty, and the prohibition of intervention.

Keywords
Attribution, cyber espionage, diplomatic and consular law, prohibited intervention, sovereignty

Facts
State A discovers that a mail server and several other servers belonging to its Ministry of Foreign Affairs (MFA) have been infiltrated. Investigation shows that the intruders gained access to the mail server by obtaining passwords of several consular officers at State A’s missions abroad through spear phishing and fake log-on websites (incident 1).

After gaining access, the intruders escalated their privileges and moved laterally through the network. Within a few days, they gained access to other servers and services. They had access to data of various MFA personnel including senior officials for several months (incident 2).

A vast amount (over 10 GB) of unclassified data was exfiltrated, even though it is not immediately clear what precise data was affected by the incident (incident 3). No data was destroyed or encrypted.

Nobody claims responsibility for the attack immediately after the discovery of the incident. However, a few days later, emails, procurement documents, and internal memos purportedly belonging to the MFA of State A are published on the Internet. (incident 4).

Judging by the nature of the compromised data and by persons that were apparently of particular interest to the attackers, the attackers seem to have been located in or related to State B. Technical investigation suggests that the malware tools used were in the past employed by an entity affiliated with a military unit of State B. Following requests for information addressed to various CERTs around the world, State A’s authorities establish that similar attacks have been executed against central government institutions in several other countries. Earlier on, head of an allied intelligence service in State C had publicly accused State B of a cyber espionage campaign conducted by the above military unit against that State C’s MFA.

Both State A and State B are parties to the Vienna Convention on Diplomatic Relations (VCDR) and the Vienna Convention on Consular Relations (VCCR).

Similar real-world incidents

 * APT-29 attacks on ministries in 2016-2017
 * Office of Personnel Management data breach

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

The legal analysis focuses on a number of relevant international legal rules, including the obligation to respect the sovereignty of other States, prohibition of intervention, and inviolability under diplomatic law.

International humanitarian law is not analysed in detail. There is no ongoing armed conflict, nor do the incidents trigger the application of international humanitarian law. They do not amount to a use of force or an armed attack, because they are not severe enough to be comparable to a ‘physical’ use of force.

Attribution
The military unit of State B qualifies as an organ of that State. As such, its relevant conduct is directly attributable to State B. The following analysis proceeds on the assumption that all incidents described in the scenario (incidents 1–4) were conducted by the said State B’s military unit.

Breach of an international obligation
The following obligations based on treaty law and customary international law are considered:

Diplomatic and consular law
In incident 1, by gaining access to an official email account of a consular officer, State B ran afoul of the inviolability of official correspondence. The lateral movement (incident 2) and exfiltration of data (incident 3) are just further steps in the illegal activity of State B, at least to the extent that the hacked accounts and servers contained data pertaining to State A’s diplomatic missions and consular posts, irrespective of their location.

Incident 4, wherein the data was published on the Internet, raises the question whether the published materials are still protected by international law. This issue is unsettled in the present state of the law. One view, endorsed by a majority of the experts drafting the Tallinn Manual, is that inviolability no longer applies to data that has been made public, as it is “not confidential as a matter of fact”. By contrast, others believe that the duty to respect the inviolability of the materials in question continues to apply in such cases. The primary reason for this view is that the duty of inviolability covers the protected materials “wherever they may be”, which therefore includes even the public domain.

Sovereignty
With regard to incidents 1–3, the answer depends on whether the espionage operation was fully conducted from outside of State A’s territory, or whether a part of it was conducted by operators physically located in State A’s territory. In the latter case, the operation could be considered a violation of sovereignty, and hence State B’s breach of its corresponding international obligation (option 1 above).

Taken separately, the publication of the acquired data (incident 4) would not violate the sovereignty of State A. Had the published information been classified in State A, then the publication is likely illegal according to State A’s domestic law; State A can also be party to international agreements which regulate the transfer of its classified information to third parties, which may create obligations for third States with regard to this information.

Prohibition of intervention
In the present scenario, prohibited intervention could also be a relevant qualification. The incidents encroach on State A’s external affairs which are the sole prerogative of State A. However, incidents 1–3 do not contain the element of coercion, because they are conducted merely with the aim to gather information, which does not compel State A to adapt the conduct of its external affairs.

As for incident 4, if it can be attributed to State B, it is coercive in the sense that it has the potential to cause State A to adapt its external affairs based on the published information and to contain the relevant political damage. It may be harder for State A to ascertain the intent of State B, which might have had no particular outcome in mind, apart from causing mischief. This might also pose an issue for establishing the causal nexus between State B’s activity and the resulting reaction by State A: the causality might not be deemed direct enough.

Espionage
As this overview demonstrates, the mere characterization of a cyber operation as amounting to cyber espionage is not conclusive as to the question of its lawfulness under international law. Reference must be had to specific rules of international law, which may be breached by the operation in question in its specific circumstances (see especially Sovereignty and Prohibited intervention above). It may be noted that there is a view that acts of espionage represent a customary exception to the relevant prohibitions. However, this interpretation would amount to the establishment of a novel circumstance precluding wrongfulness, for which there is no evidence in international law. Accordingly, the lawfulness of incidents 1–4 therefore must be assessed with reference to other applicable international legal rules.

Checklist

 * Do the affected materials come under the duty of inviolability?
 * Does the exfiltration and publication of data violate the sovereignty of the victim State?
 * Does the exfiltration and publication of data amount to a prohibited intervention?
 * Is the fact that part of the operation is cyber espionage an important circumstance for the il/legality of the operation?

Bibliography and further reading

 * MN Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017)
 * Etc.