Scenario 23: Vaccine research and testing

__NUMBEREDHEADINGS__

A major State-run hospital serving as a virus testing and vaccine research facility falls victim to both research espionage and a two-day distributed denial of service (DDoS) attack during a pandemic. Several months of research and clinical trial data is exfiltrated to a neighbouring State. As a result of the DDoS attack, the victim State’s population cannot access information about virus testing availability and cannot obtain test results. The scenario considers attribution of the cyber operations and whether such incidents constitute a violation of sovereignty, a prohibited intervention, a use of force, or a violation of international human rights law.

Keywords
Attribution, sovereignty, peacetime cyber espionage, prohibition of intervention, use of force, international human rights law

Facts
[F1] State A and State B are suffering from a pandemic caused by a highly communicable, previously unidentified respiratory virus. Common symptoms of the virus include high fever, cough, shortness of breath, and fatigue. Because some infected persons are symptomatic and others are contagious despite appearing asymptomatic, the virus is spreading virtually unchecked. Hospitals are rapidly becoming overwhelmed. The virus’ high mortality rate, if not treated promptly, means both States desperately want to develop an effective treatment for those infected and a vaccine to protect others from becoming ill.

[F2] Over the prior decade, the relationship between States A and B has deteriorated significantly. The recent rise to power of an ultra-nationalist prime minister in State B, unrestrained by a similarly disposed parliament, has worsened the decline in relations. In the last year, State B has frequently accused State A of mistreating its large ethnic minority.

[F3] The largest State-run hospital in State A, which also serves as a vaccine research facility and the primary national virus testing facility, was recently victimized by a pair of hostile cyber operations. Eight months of vaccine research and clinical trial data was copied and exfiltrated (incident 1). Forensic investigators in State A cannot definitively rule-out the possibility that the perpetrator maintains persistent access to the hospital’s information systems. However, investigators conclude, with moderate certainty, that the integrity of the original data remains intact and unchanged. State A appears to still have full, unrestricted access to the research data in its continuing effort to develop an effective vaccine. The operation appears to have been limited to exfiltration of data and, consequently, a loss of confidentiality.

[F4] A two-day distributed denial of service (DDoS) attack left the public unable to access the hospital’s website to obtain information about testing availability and unable to view test results (incident 2).

[F5] Both publicly and through diplomatic channels, State B denies any involvement in the incidents. Despite these denials, State A cybersecurity authorities conclude with a high degree of confidence, based on forensic analysis, that State B is the most probable actor responsible for both the exfiltration of the vaccine research and the DDoS attack. The vaccine research and clinical trial data obtained from State A were exfiltrated to the Ministry of Health in State B. Moreover, the techniques used for both the data theft and the DDoS attack are identical to those employed by State B’s intelligence service in previous cyber operations conducted against State C, an ally of State A.

Examples

 * Brno University Hospital ransomware attack (2020)

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The analysis in this scenario focuses on three main issues: 1) Whether the cyber operations conducted against State A are attributable to State B; 2) Whether the exfiltration of State A’s vaccine research is an internationally wrongful act; and 3) Whether the DDoS operation against State A is an internationally wrongful act.

Attribution
[L2] Both the cyber espionage operation and the DDoS attack are attributable to State B. State A considered the possibility that this hostile cyber operation is, in fact, a “false flag” operation perpetrated by a third State in such a way as to make it appear State B is responsible. However, in light of its increasingly strained diplomatic relationship with State B, the fact that the vaccine research was exfiltrated to the Ministry of Health in State B, and because the techniques employed to conduct both operations comport with those previously used by State B’s intelligence service against State C, State A has a high degree of confidence State B is responsible. State B’s intelligence service is undeniably functioning as part of State B’s central government and thus a State organ the conduct of which is attributable to State B under Article 4 of the International Law Commission’s Draft Articles on the Responsibility of States for Internationally Wrongful Acts. Consequently, the balance of the analysis of this scenario considers whether State B breached international law either by exfiltrating vaccine research data or by conducting the DDoS operation against the hospital in its capacity as a vaccine research site and as State A’s principal virus testing facility.

Breach of an international obligation
[L3] This section considers whether the cyber espionage and the DDoS attack by State B breach an international obligation owed to State A—specifically, whether State B breached the international law rules prohibiting violations of State sovereignty and intervention into the domaine réservé of another State, perpetrated an unlawful use of force against State A, or violated the human rights of inhabitants of State A.

Obligation to respect the sovereignty of other States
[L4] State B’s DDoS attack (incident 2) violated State A’s sovereignty. Under one view, which is held by a number of states, as well as numerous scholars, a remotely conducted cyber operation breaches the sovereignty of another State if it causes concrete effects within the territory of the victim State. A contrasting view, succinctly expressed by France, is that that a cyber operation penetrating a State’s systems violates that State’s sovereignty even if the cyber operation does not cause concrete effects within victim State territory. One can conclude with a high degree of certainty that, by interfering with the dissemination of virus testing information and test results, State B caused the virus to spread more rapidly among people in State A than it otherwise would have done. The inability of State A’s population to know how and when to schedule testing or to obtain the results of completed tests in a timely manner meant that people were unable to identify themselves as carriers of the virus, were unaware they posed a public health risk, and likely were slow to implement appropriate precautions. That lack of information means persons carrying the virus almost certainly unknowingly spread it to others. Likewise, State A more than likely experienced an increased mortality rate from the virus because the inability of the population to get tested and to obtain test results delayed at least some persons carrying the virus and manifesting symptoms from seeking necessary and proper treatment.

[L5] For this prong of analysis of incident 2, the physical effects must be ascertained and causally linked to the cyber operation. Mere rescheduling of planned surgeries or a minor delay in delivering the test results would be a less serious effect than directly interfering with the immediate delivery of medical care; likewise, the impossibility of testing at one location could simply result in people taking the test elsewhere, so it may be difficult to pinpoint the causal link between the cyber operation and the additional infections.

[L6] There exists some uncertainty whether interference in, or usurpation of, inherently government functions is a relevant test for determining the existence of a violation of sovereignty, even though several States have already made declarations in favour of this interpretation. Applying that analysis to incident 2, State B also breached State A’s sovereignty by interfering with its ability to carry out its inherently governmental function of managing the public health crisis ongoing within its territory. By denying State A’s populace access to critical information about operations at the State’s primary virus testing facility, State B’s DDoS attack interfered with a vital aspect of State A’s plan for managing the health crisis. The act of interfering with State A’s inherently governmental function, wholly apart from whether that interference causes concrete effects to manifest in State A, results in a sovereignty violation.

[L7] As for State B exfiltrating the vaccine research from State A (incident 1), under the facts of this scenario, this likely does not constitute a sovereignty violation. First, State A suffered no damage or destruction to its cyber infrastructure. Second, State B did not, merely by exfiltrating vaccine research, necessarily cause increased spread of the virus or higher mortality rates among those infected with the virus in State A. If, however, State B accessing the clinical trial data caused the clinical trial to fail procedural protocols and need to be restarted, the resulting delay in State A’s vaccine development effort may shift the analysis in favour of a breach of sovereignty. Finally, State B did not impair the ability of State A to perform its inherently governmental functions; in particular its ability to manage the public health crisis within its borders.

Cyber espionage
[L8] State B’s cyber espionage efforts do not per se violate international law. Under the analysis above, remotely-conducted cyber espionage only violates a State’s sovereignty when it either causes concrete effects in the territory of that State—including serious damage to or destruction of cyber systems—or, according to those who hold this view, interferes with that State’s performance of its inherently governmental functions, whether or not such effects result from the espionage activities. Under the facts of this scenario, State B exfiltrating the vaccine research from State A likely does not constitute a sovereignty violation (see para L7).

Economic espionage
[L9] Exfiltrating eight months of vaccine research and clinical trial data from State A may fairly be considered economic cyber espionage of State A’s intellectual property. However, current international law does not prohibit economic cyber espionage. Therefore, attributing the data theft to State B and characterizing incident 1 as economic cyber espionage is insufficient to establish State B’s responsibility under international law. Absent a relevant treaty commitment between State B and State A, State B’s economic cyber espionage does not, itself, violate an international legal obligation binding upon it.

Non-intervention
[L10] The exfiltration of vaccine research by State B (incident 1) lacks the coercive element necessary to qualify as a prohibited intervention. State A retains full, unrestricted access to the research data in its continuing effort to develop an effective vaccine. State A’s ability to continue to execute its crisis response plan, a matter within its domaine réservé, is not adversely impacted by State B copying and appropriating the vaccine data to its own use.

[L11] In contrast, according to the more widely held position, the DDoS attack (incident 2) constitutes an unlawful intervention because it interfered with the crisis response plan developed by State A’s Ministry of Health by rendering the largest and principal virus testing centre in State A unable to perform its intended function as a key component of State A’s plan to manage the public health crisis ongoing in its territory.

Use of force
[L12] Uses of force need neither be perpetrated by the armed forces of a State nor involve the use of kinetic weapons. However, there is no consensus on the precise test or criteria by which to determine whether a particular cyber operation may properly be characterized as a use of force. That said, it is generally accepted that a cyber operation causing injury or death to persons or significant physical damage or destruction of objects qualifies as a use of force.

[L13] The DDoS attack by State B (incident 2) significantly lessened the ability of State A’s population to get tested and to obtain test results. Further, it almost certainly delayed at least some persons carrying the virus and manifesting symptoms from seeking necessary and proper treatment. State B’s conduct likely caused State A to experience increased rates of infection and mortality from the virus than would have been the case otherwise. Those increased rates of infection and mortality are reasonably foreseeable effects of State B’s cyber operation. If persons in State A in fact fell ill or died at any significant scale as a result of the DDoS attack (incident 2), then it may reasonably be characterized as an unlawful use of force against State A by State B. Even if such effects were not manifest and the hostile cyber operation did not qualify as a use of force, similar cyber operations repeatedly demonstrating the capacity to significantly disrupt cyber systems in a way likely to produce concrete effects might cross the Article 2(4) threshold as a threat to use force.

[L14] Even if the DDoS attack (incident 2) by State B qualifies as an unlawful use of force, State A and its allies may not respond in self-defence under UN Charter, Article 51, and its customary international law equivalent unless the DDoS attack is sufficiently grave to amount to an “armed attack.” Even then, a response in self-defence is further limited by the requirements that it be necessary and proportionate. State B was identified as the source of the DDoS attack (incident 2) only after the disruption. Indications that further cyber or kinetic attacks may follow are absent. Thus, it would be difficult for State A to reasonably claim that a use of force in self-defence was necessary to repel an ongoing or imminent attack by State B. State A could, if it chose, call upon the UN Security Council to characterise State B’s conduct as a “threat to the peace” or a “breach of the peace” and prescribe measures under Chapter VII of the UN Charter. Setting aside the prospect of UN Security Council action, it is at least arguably unnecessary to draw a conclusion regarding whether State B’s DDos attack (incident 2) against State A crossed the threshold of violating Article 2(4) of the UN Charter because it breached other applicable international legal rules. Even if international lawyers cannot agree on the precise rule(s) of international law violated by State B’s hostile cyber operations, there is a growing view that State cyber operations causing “significant adverse or harmful consequences for the research, trial, manufacture, and distribution” of vaccines, including “by means that damage the content or impair the use of sensitive research data, particularly trial results, or which impose significant costs on targeted facilities in the form of repair, shutdown, or related preventive activities” violate international law.

[L15] The unilateral responses available to State A under international law for a prohibited use of force—acts of retorsion and countermeasures —are identical to those available in response to other violations of international law.

Due diligence
[L16] In the event that State B denies responsibility or even goes so far as to proffer evidence suggesting that the hostile cyber operations are not, in fact, attributable to it, State B may still potentially be liable for failure to meet its due diligence obligation. Assuming arguendo that State B was not in fact responsible for the hostile cyber operations themselves, it was still under an international legal obligation not to allow its territory and cyber infrastructure under its control to be used to affect State A’s rights and produce serious adverse consequences for State A. To be responsible for failing to meet its due diligence obligation, State B must have had actual knowledge that its territory or cyber infrastructure was being so used, or the facts must be such that State B “in the normal course of events would have become aware.” Assuming it knew or should have known its territory or infrastructure was being used to harm State A, State B was obligated “to take all measures that are feasible in the circumstances to put an end to [the hostile cyber operations].”

International human rights law
[L17] International human rights law (IHRL) is an applicable, and more direct, legal mechanism for vindicating the rights of the individuals (vice the States) harmed by State B’s DDoS attack (incident 2). Although there is no definitive listing of the international human rights regarded as customary, many human rights captured in treaties such as the ICCPR and the ICESCR are considered to reflect customary international law. Numerous treaties, including both the ICCPR and the ICESCR, protect the individual rights to health and life, as does customary international law.

[L18] The international legal obligation to respect individuals’ rights to life and health means States must refrain from conduct that unjustifiably interferes with, or otherwise adversely affects, these rights. The concept of State conduct resulting in an arbitrary deprivation of life arises most apparently in the contexts of domestic law enforcement operations and targeting during armed conflict. However, there is no reason, in principle, why an unjustified State cyber operation adversely impacting the individual human rights to life and health should be beyond the reach of IHRL.

[L19] A threshold issue with which one must grapple in determining the applicability of IHRL to State cyber operations conducted into another State which disrupt individuals’ access to health care services, interfere with the other State’s ability to preserve public health, and increase the rates of infection and mortality, is extraterritoriality. Although the Human Rights Committee has offered a more expansive and controversial conception of extraterritorial jurisdiction based upon a State’s exercise of control over the enjoyment of the right to life, the prevailing view is that human rights treaties apply where either (a) the State against which the IHRL obligation is to be levied controls the territory in which the victim’s rights are violated, or (b) an organ of the State against which the IHRL obligation is to be levied exercises power or control over the individual victim(s). Neither of these circumstances necessarily limits the application of IHRL to within the territorial borders of the acting State. Although not beyond reasonable debate as lex ferenda rather than lex lata, Compare Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’, (2020) 11 J. Nat’l Security L. & Pol’y 247, 264 (stating that “an expansive view of the extraterritorial application of human rights obligations is both desirable and sensible”) and [https://undocs.org/CCPR/C/GC/36 Human Rights Comm. General Comment No. 36], ¶63, CCPR/C/GC/36 (Sep. 2, 2019) (adopting the position that “subject to its jurisdiction” under Art. 2 of the International Covenant on Civil and Political Rights refers not to the exercise of State power or control over the person but rather the exercise of State power and control over the enjoyment of the right to life and that the relevant consideration is direct and foreseeable impact on the right to life, wherever the victim may be located physically) with Bankovic v. Belgium, 2001-XII Eur. Ct. H.R. ¶¶74-82 (refusing to interpret “within their jurisdiction” under Art. 1 of the Convention for the Protection of Human Rights and Fundamental Freedoms to make the Art. 2 right to be free from arbitrary deprivations of life whenever anyone is killed by an act attributable to a State Party, regardless of where in the world the act was performed or its consequences felt) and Matthew Waxman, Principal Deputy Director of Policy Planning, U.S. Department of State, Opening Statement to the U.N. Human Rights Committee on the Report Concerning the International Covenant on Civil and Political Rights (Jul. 17, 2006) (asserting that “it is the long-standing view of the United States that the Covenant by its very terms does not apply outside of the territory of a State Party” and that although the United States is “aware of the views of members of this Committee regarding the extraterritorial application of the Covenant, including the Committee’s General Comment No. 31” the United States “has a principled and long-held view that the Covenant applies only to a State Party’s territory. It is the long-standing view of [the United States] that applying the basic rules for the interpretation of treaties described in the Vienna Convention on the Law of Treaties leads to the conclusion that the language in Article 2, Pargraph [sic.] 1, establishes that States Parties are required to respect and ensure the rights in the Covenant only to individuals who are BOTH within the territory of a State Party and subject to its jurisdiction.”). the customary right to be free from arbitrary deprivations of life may likewise not be constrained in application to the territorial confines of the acting State.

[L20] A State cyber operation conducted into the territory of another State that either directly injures or kills persons or increases the rates of infection and mortality by disrupting access to health care services or interfering with the other State’s ability to preserve public health likely violates the rights to life and health under customary IHRL and, for States Party to an applicable IHRL treaty, also under the relevant treaty or treaties.

[L21] So far, the focus has been on the legality of State B’s activities, but consideration must also be given to whether State A has satisfied its human rights obligations. Article 2(1) of the International Covenant on Political and Civil Rights requires States “to respect and to ensure to all individuals within its territory and subject to its jurisdiction [the right to life].” Article 2(1) of the Convention for the Protection of Human Rights and Fundamental Freedoms also obligates State A to affirmatively take steps to protect the lives of those within its jurisdiction. The latter positive obligation includes both “the duty to provide a regulatory framework; and the obligation to take preventive operational measures” and it applies in various contexts, including that of public health. It is unclear whether State A may bear some responsibility for failing to properly enact cybersecurity standards that could have prevented or minimized State B’s hostile cyber operations and the illness and death caused by them, but the possibility should not be overlooked.

Checklist

 * Sovereignty
 * What is the victim State’s position on whether sovereignty is a primary rule of international law, and if so, the content of this rule?
 * Was the operation: (a) conducted remotely; or (b) conducted from within the territory of the victim State and without its consent?
 * Did the operation cause physical damage, significant loss of functionality, or destruction of cyber infrastructure in the victim State?
 * Did the operation cause damage to or destruction of something other than cyber infrastructure in the victim State?
 * Did the operation, directly or indirectly, cause injury or death to individuals?
 * Did the operation interfere with the victim State performing its inherently governmental functions?
 * Did the operation usurp the performance of an inherently governmental function of the victim State?
 * If the facts support finding a violation of sovereignty, is there a circumstance precluding the wrongfulness of that violation?
 * Prohibition of intervention
 * Did the operation interfere with or usurp a matter unregulated by international law or left solely to the prerogative of the victim State under international law?
 * Did the operation amount to a coercive act, and if so, under what definition of “coercion”?
 * If the facts support finding a violation of the prohibition on intervention, is there a circumstance precluding the wrongfulness of that violation?
 * Use of force
 * Did the operation cause physical effects in the territory of the victim State?
 * If no physical effects manifested in the territory of the victim State, what is the victim State’s position on whether cyber operations not causing concrete effects can qualify as a use of force?
 * If physical effects resulted from the operation, were more than a de minimis number of persons in the victim State injured or killed? Did the operation result in significant physical damage or destruction of objects?
 * Did the effects generated in the victim State result immediately or near immediately from the operation?
 * Are the effects generated in the victim State directly traceable to the operation as the cause?
 * Is the perpetrator of the operation a State organ that might be expected to employ kinetic means typically characterised as a use of force (e.g., armed forces or intelligence agencies)?
 * Is the system targeted in the victim State public (governmental) or private (non-governmental)?
 * Is the scale of the effects generated in the victim State reasonably quantifiable?
 * International human rights
 * Did the operation interfere with an individual right recognized under a human rights treaty to which the States are party or that is recognized by customary international law?
 * Does the State perpetrating the operation control the territory in which the victim’s rights are violated, or does an organ of the perpetrating State exercise power or control over the victim?
 * If the organ of the State perpetrating the cyber operation does not exercise power or control over the victim in a physical sense, does that State organ exercise control over the victim’s ability to enjoy a human right recognized under a human rights treaty to which the States are party or recognized by customary international law?
 * If the operation interferes with an individual right recognized under an applicable human rights treaty or under customary international law, is that interference (a) authorized by a domestic law; (b) undertaken in the pursuit of a legitimate public interest (e.g., national security, public order, or public health) or to protect the rights of others; (c) necessary to achieve that the public interest; and (d) conducted in a manner proportionate to the desired end?
 * Did the victim State fulfil its positive obligations under IHRL (e.g., protecting the right to life of those under its jurisdiction)?

Bibliography and further reading

 * Agreement on Trade-Related Aspects of Intellectual Property Rights, Annex 1C to the Agreement Establishing the World Trade Organization (signed on 15 April 1994 in Marrakesh), 1869 UNTS 299, 33 ILM 1197.
 * American Convention on Human Rights (open for signature from 22 November 1969, entered into force 18 July 1978), 1144 UNTS 123.
 * Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro) (Judgment) [2007] ICJ Rep 43.
 * Australia, 'Supplement to Australia’s Position on the Application of International Law to State Conduct in Cyberspace' (2019).
 * Austria, ‘Pre-Draft Report of the OEWG - ICT: Comments by Austria’ (31 March 2020).
 * Bankovic and Others v. Belgium, 2001-XII Eur. Ct. H.R. 333.
 * William Banks, ‘State Responsibility and Attribution of Cyber Intrusions After Tallinn 2.0’ (2017) 95 Tex. L. Rev. 1487.
 * Gary Brown and Keira Poellet, ‘The Customary International Law of Cyberspace’ (2012) Strategic Studies Quarterly 137.
 * Ian Brownlie, International Law and the Use of Force by States (OUP 1963).
 * Russell Buchan, ‘The International Legal Regulation of State-Sponsored Cyber Espionage’ in Anna-Maria Osula and Henry Rõigas (eds), International Cyber Norms: Legal, Policy & Industry Perspectives (NATO CCD COE 2016).
 * Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16.
 * Gary P. Corn and Robert Taylor, ‘Sovereignty in the Age of Cyber’ (2017) 111 AJIL Unbound 207.
 * James Crawford, Brownlie's Principles of Public International Law (OUP 2012).
 * James Crawford, State Responsibility: The General Part (CUP 2013).
 * James Crawford, ‘State Responsibility’ in Rüdiger Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008).
 * Certain Activities Carried Out by Nicaragua in the Border Area (Costa Rica v Nicaragua) and Construction of a Road in Costa Rica along the San Juan River (Nicaragua v Costa Rica) (Judgment) [2015] ICJ Rep 665.
 * Charter of Fundamental Rights of the European Union (2012) OJ C326/391.
 * Theodore Christakis, ‘The ICJ Advisory Opinion on Kosovo: Has International Law Something to Say about Secession?’ (2011) 24 LJIL 73.
 * Convention for the Protection of Human Rights and Fundamental Freedoms (opened to the signature in Rome on 4 November 1950, entered into force 3 September 1953) ETS 5.
 * Council of the European Union, ‘Council Conclusions on the Joint Communication to the European Parliament and the Council: Resilience, Deterrence and Defence: Building strong cybersecurity for the EU’ (Council conclusions, 20 November 2017).
 * Oliver Corten, The Law against War (Hart Pub. 2010).
 * Czech Republic, ‘Statement by Mr. Richard Kadlčák, Special Envoy for Cyberspace’ (2nd substantive session of the Open-ended Working Group on developments in the field of information and telecommunications in the context of international security, 11 February 2020).
 * Ashley Deeks, 'An International Legal Framework for Surveillance' (2015) 55 Va. J. Int’l L. 291.
 * Dispute regarding Navigational and Related Rights (Costa Rica v Nicaragua) Judgment [2009] ICJ Rep 213.
 * Oliver Dörr and Albrecht Randelzhofer, ‘Article 2(4)’ in Bruno Simma and others (eds), The Charter of the United Nations: A Commentary (OUP 2012).
 * Documents of the United Nations Conference    on International Organization (1945), vol VI, 334.
 * Draft Articles on the Responsibility of States for Internationally Wrongful Acts, prepared by the International Law Commission and approved by the General Assembly resolution 56/83 of 12 December 2001.
 * Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019).
 * Dan Efrony and Yuval Shany, ‘A Rule Book on the Shelf? Tallinn Manual 2.0 on Cyberoperations and Subsequent State Practice’ (2018) 112 AJIL 583.
 * Brian Egan, U.S. State Department Legal Advisor, ‘International Law and Stability in Cyberspace’ (Speech at Berkeley Law School, 10 November 2016).
 * David Fidler, ‘Economic Cyber Espionage and International Law: Controversies Involving Government Acquisition of Trade Secrets through Cyber Technologies’ (2013) 17/10 ASIL Insights.
 * French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019).
 * G7, ‘Principles and Actions on Cyber’ (Annex to the Ise-Shima Declaration from 27 May 2016).
 * G8, ‘Declaration: Renewed Commitment for Freedom and Democracy’ (Summit of Deauville, 27 May 2011).
 * G20, ‘Leaders’ Communiqué’ (15–16 November 2015).
 * Christine Gray, International Law and the use of force (OUP 2018).
 * Erica Häger & Carolina Dackö, ‘Economic Espionage: A Report by Mannheimer Swartling’ (2018).
 * Christof Heyns and others, ‘The International Law Framework Regulating the Use of Armed Drones’ (2016) 65 Int’l Comp. L.Q. 791.
 * Duncan B. Hollis and Tsvetelina van Benthem, ‘What Would Happen If States Started Looking at Cyber Operations as a “Threat” to Use Force?’ (Lawfare, 30 March 2021).
 * International Covenant on Civil and Political Rights (adopted 16 December 1966, entered into force 23 March 1976) 999 UNTS 171.
 * International Covenant on Economic, Social and Cultural Rights (adopted 16 December 1966, entered into force 3 January 1976) 993 UNTS 3.
 * ILC, 'Document A/6309/ Rev.1: Reports of the International Law Commission on the second part of its seventeenth and on its eighteenth session' (UNYBILC II, 1966).
 * Iran, ‘Declaration of General Staff of the Armed Forces of the Islamic Republic of Iran Regarding International Law Applicable to the Cyberspace’ (July 2020).
 * Island of Palmas (Neth. v. U.S.), 2 RIAA 829 (Perm. Ct. Arb. 1928).
 * Japan, ‘Japan’s Position Paper for the Report of the United Nations Open-Ended Working Group on "Developments in the Field of Information and Telecommunications in the Context of International Security"’ (undated).
 * Harold Hongju Koh, ‘International Law in Cyberspace: Remarks as Prepared for Delivery to the USCYBERCOM Inter-Agency Legal Conference' (18 September 2002), reprinted in (2012) 54 Harv. Int’l L.J. Online 1, 4.
 * Marcelo Kohen, ‘The Court’s Contribution to Determining the Content of Fundamental Principles of International Law’ in Giorgio Gaja and Jenny Grote Stoutenburg (eds), Enhancing the Rule of Law through the International Court of Justice (Brill 2012).
 * David Kretzmer, ‘The Inherent Right to Self-Defence and Proportionality in Jus Ad Bellum’ (2013) 24 EJIL 235.
 * Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory (Advisory Opinion) [2004] ICJ Rep 136.
 * Legality of the Threat or Use of Nuclear Weapons Case (Advisory Opinion) [1996] ICJ Rep 226.
 * Catherine Lotrionte, ‘Countering State-Sponsored Cyber Economic Espionage Under International Law’ (2015) 40 N.C. J. Int'l L. & Com. Reg. 443.
 * Marko Milanovic, ‘Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age’ (2015) 56/1 Harv Int’l LJ 81.
 * Marko Milanovic and Michael N Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’ (2020) 11 J. Nat’l Security L. & Pol’y 247.
 * Tomohiro Mikanagi and Kubo Mačák, ‘Attribution of cyber operations: an international law perspective on the Park Jin Hyok case’ (2020) 9 Cambridge Int’l L, J. 51.
 * Military and Paramilitary Activities in and against Nicaragua (Nicaragua v US) (Merits) [1986] ICJ Rep 14.
 * Paul C. Ney, ‘DOD General Counsel Remarks at U.S. Cyber Command Legal Conference’ (2 March 2020).
 * Georg Nolte and Albrecht Randelzhofer, ‘Article 51’ in Bruno Simma and others (eds), The Charter of the United Nations: A Commentary (3rd edn, OUP 2012).
 * North Atlantic Treaty Organization, ‘Wales Summit Declaration’ (issued by the Head of State and Government participating in the meeting of the North Atlantic Council in Wales, 5 September 2015).
 * North Atlantic Treaty Organization, ‘Warsaw Summit Communiqué’ (issued by the Heads of State and Government participating in the meeting of the North Atlantic Council in Warsaw, 9 July 2016).
 * U.S. Department of Defense, Law of War Manual (December 2016).
 * Oil Platforms (Iran v US) [2003] ICJ Rep 161.
 * Organization for Security and Cooperation in Europe, Decision No. 1202, OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies (Permanent Council, 10 March 2016) PC.DEC/1202.
 * President of the United States, ‘International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World’ (2011).
 * Ambassador Norbert Riedel, Commissioner for International Cyber Policy, Federal Foreign Office, Berlin, ‘Cyber Security as a Dimension of Security Policy’ (Speech at Chatham House, London, 18 May 2015).
 * Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014).
 * Michael N Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017).
 * Michael N Schmitt, ‘The Use of Cyber Force and International Law’ in Marc Weller (ed), Oxford Handbook on the Use of Force in International Law (OUP 2015).
 * Michael N Schmitt, ‘Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law’ (2018) 19 Chi. J. Int’l L. 30.
 * Michael N Schmitt and Liis Vihul, ‘Respect for Sovereignty in Cyberspace’ (2017) 95 Tex. L. Rev. 1639.
 * Statute of the International Court of Justice (adopted 26 June 1945, entered into force 24 October 1945).
 * The Second Oxford Statement on International Law Protections of the Healthcare Sector During COVID-19: Safeguarding Vaccine Research (7 August 2020).
 * Nicholas Tsagourias ‘Cyber Attacks, Self-Defence and the Problem of Attribution’ (2012) 17 (2) JCSL 23.
 * United Kingdom, ‘Statement on Other Disarmament Measures and International Security to the 72nd UNGA First Committee’ (23 October 2017).
 * UNGA Res 2625 (XXV), ‘Declaration on Principles of International Law concerning Friendly Relations and Co-operation among States in accordance with the Charter of the United Nations’ (24 October 1970).
 * UNGA Res 70/237, ‘Developments in the field of information and telecommunications in the context of international security’ (UN Doc. A/RES/20/237, 23 December 2015).
 * UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, ‘Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security’ (UN Doc A/70/174, 22 July 2015).
 * UN Human Rights Committee, ‘Summary Record of the 1405th Meeting’ (CCPR/C/SR.1405, 31 March 1995) [20].
 * UN Human Rights Committee, ‘General Comment No. 24 on issues relating to reservations made upon ratification or accession to the Covenant or the Optional Protocols thereto, or in relation to declarations under article 41 of the Covenant’ (CCPR/C/21/Rev.1/Add.6, 11 November 1994).
 * UN Human Rights Committee, ‘General Comment No. 27, Article 12: Freedom of Movement’ (CCPR/C/21/Rev.1/Add.9, 1 November 1999).
 * UN Human Rights Committee, ‘General Comment No. 31 (80), The Nature of the General Legal Obligation Imposed on States Parties to the Covenant’ (CCPR/C/21/Rev.1/Add.13, 29 March 2004).
 * UN Human Rights Committee, ‘General Comment No. 34, Article 19: Freedoms of opinion and expression’ (CCPR/C/GC/34, 12 September 2011).
 * UN Human Rights Council Res 32/13, ‘The promotion, protection and enjoyment of human rights on the Internet’ (UN Doc. A/HRC/RES/32/13, 1 July 2016).
 * United States, ‘FACT SHEET: President Xi Jinping’s State Visit to the United States’ (25 September 2015).
 * Velásquez Rodríguez v. Honduras, (Merits) IACrtHR (Ser. C) No. 4 (29 July 1988).
 * Wolff Heintschel von Heinegg, ‘Territorial Sovereignty and Neutrality in Cyberspace’ (2013) 89 Int’l L. Stud. 123.
 * Sean Watts and Theodore Richard, 'Baseline Territorial Sovereignty and Cyberspace' (2018) 22 Lewis & Clark L. Rev. 771 (citing Memorandum from JM O’Connor, General Counsel of the Department of Defense, ‘International Law Framework for Employing Cyber Capabilities in Military Operations’ (19 January 2017)).
 * Matthew Waxman, Principal Deputy Director of Policy Planning, U.S. Department of State, ‘Opening Statement to the U.N. Human Rights Committee on the Report Concerning the International Covenant on Civil and Political Rights’ (17 July 2006).
 * Jeremy Wright, ‘Cyber and International Law in the 21st Century’ (23 May 2018).
 * Katja Ziegler, ‘Domaine Réservé’ in Rüdiger Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008, updated April 2013).

Contributions

 * Scenario by: Jeremy K. Davis
 * Analysis by: Jeremy K. Davis
 * Reviewed by: Duncan Hollis and Ori Pomson