Scenario 21: Misattribution caused by deception

A State launches a cyber operation against another State but orchestrates the attack in a way that points towards a third country as the wrongdoer. The victim State launches retaliatory measures against the alleged wrongdoer. The legal analysis of this scenario examines legal responsibility for cyber retaliation directed against the wrong target due to misattribution. It also assesses whether a mistake of fact can alleviate international responsibility of the responding State towards the victim State.

Keywords
Deception, mistake of fact, misattribution, evidence, countermeasures

Facts
[F1] State A decides to conduct a harmful cyber operation against State B with deceptive elements to orchestrate wrongful attribution of this operation to its global competitor, State C. The aim is that misattribution of such a false-flag cyber operation will be followed by retaliatory measures of State B against State C.

[F2] Thus, the Central Intelligence Bureau of State A covertly launches a sophisticated deceptive cyber operation against State B (incident 1). The malware used against State B causes significant damage to its electric power grid. In particular, servers and workstations of the National Grid Control Centre of State B are knocked offline by deleting critical system files, resulting in temporary loss of control over the distribution of power across the country and local power outages. As a result, the e-government services provided by State B are down in some regions for about a week.

[F3] The malware was created in such a way as to point towards State C. Specific segments of codes, toolkits and methods are used and combined in a way to allow State B to identify false but persuasive traces leading to State C. The alleged origin of the cyber incidents from State C is confirmed also by information acquired by State B’s intelligence services.

[F4] State B publicly denounces State C for the hostile cyber operation. At the same time, as a retaliation, its central intelligence service conducts a reciprocal cyber operation against the internal servers of the central national authority that is responsible for the distribution of electric power in State C (incident 2). This operations leads to country-wide power outages in State C and a similar disruption of e-government services provided by State C.

Examples

 * Olympic Destroyer (2018)
 * Stuxnet (2010)

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The scenario consists of two distinct acts of two actors: the false-flag operation carried out by State A against State B (incident 1) and the retaliatory operation of State B against State C (incident 2). The scenario analyses and discusses various aspects of international responsibility in connection with these acts. The analysis first proceeds with the assessment of the initial false-flag cyber operation of State A against State B (incident 1) and then it continues with the assessment of the retaliatory measures of State B against State C (incident 2).

Responsibility for the false-flag cyber operation
[L2] The false-flag cyber operation of State A against State B (incident 1) amounts to a breach of the prohibition of intervention and obligation to respect sovereignty of other States. State A launched a sophisticated cyber operation against State B that caused the loss of control over the distribution of power across its territory and local power outages. This coercive action led to the loss of functionality of State B’s critical infrastructure and its e-government systems, significantly reducing its capability to serve its inherently governmental functions and its ability to conduct its affairs freely. Alternatively, the disruption of critical infrastructure by cyber means could be linked to a loss of functionality of cyber infrastructure and hence a violation of territorial sovereignty. Some States would even consider a mere disruption of critical infrastructure as such a violation. Based on the facts provided, the conduct is attributable to State A since it was conducted by its central intelligence service, which is an organ of State A.

Responsibility for the internationally wrongful act of another State
[L3] A challenging question arises whether State A was internationally responsible for the wrongful conduct committed by State B against State C, but orchestrated by State A (incident 2). In other words, is it possible, and if so, on what grounds, for State C as the injured State to invoke the responsibility of State A for the consequences caused by the retaliatory measures of State B? The rules on State responsibility contain legal constructions on how a State can incur responsibility in connection with the wrongful conduct of another State. These rules are applicable also to cyberspace.

[L4] The commission of a false-flag cyber operation by State A does not fit any of the recognized forms of implication of international responsibility for the conduct of State B. The nature of the relationship between the two States cannot be qualified as aid or assistance since State B was not aware of the origin of the false-flag operation and intent of State A. There was also no relationship of dependence that would amount to direction or control. Finally, State B was not coerced to engage in retaliatory measures against State C as it was not deprived of its freedom of action. Consequently, it is not possible for State C as the injured State to invoke the responsibility of State A for the consequences caused by the retaliatory measures of State B (incident 2).

Responsibility for deceptive conduct
[L5] It could be questioned whether State A’s misleading of State B into the commission of an internationally wrongful act against State C itself amounts to a separate breach of an international legal obligation and if so, which international obligation. In other words, does misleading another State to act in an unlawful way itself constitute a violation of international law on the part of the deceiving State?

[L6] Misleading of another State is a matter not per se regulated by international law, however it may be contrary to the sic utere tuo (no harm) principle. This principle is recognized as a limitation on State sovereignty and in specific areas (in particular, international environmental law) as a distinct legal norm. However, it does not at present time constitute a standalone legal rule applicable in the cyber context. Consequently, misleading another State to engage in misdirected cyber retaliation does not in itself constitute a violation of international law.

Retaliatory measures and responsibility of State B
[L7] State B launched a cyber operation against State C (incident 2). This operation caused a loss of functionality of State C's critical infrastructure and its e-government systems, significantly reducing its capability to serve its inherently governmental functions and its ability to conduct its affairs freely. Alternatively, the disruption of critical infrastructure by cyber means could be linked to a loss of functionality of cyber infrastructure and hence a violation of territorial sovereignty. Some States would even consider a mere disruption of critical infrastructure as such a violation. Such action amounted to the violation of the prohibition of intervention and of the obligation to respect sovereignty of other States. Based on the facts provided, the conduct is also attributable to State B since it was conducted by its central intelligence service which is a State organ. The international responsibility of State B may be precluded if its conduct fulfils conditions of any of the circumstances precluding wrongfulness. The two next subsections examine whether the wrongfulness of State B’s conduct could be precluded on the grounds that it qualifies as a lawful countermeasure or that the State was acting in error.

Countermeasures
[L8] As the first basic precondition, the act constituting a countermeasure must be taken in response to a previous internationally wrongful act of another State and must be directed against that State. This appears problematic in the present case since the technical evidence and intelligence information acquired by State B point towards the State C as the wrongdoer, but in reality, the author of the false-flag cyber operation was State A. Identification of the wrongdoer and attribution in context of cyber operations is challenging due to evidentiary and technical peculiarities of cyberspace that make it possible to hide identity and leave false traces.

[L9] However, the criteria for establishment of international responsibility are objective. Subjective considerations, including mistakes of fact, fault or intent are not relevant unless otherwise provided by the primary norm in question. Since the false-flag operation was carried out by State A and therefore cannot be attributed to State C, the condition of an internationally wrongful act attributable to State C is not fulfilled and countermeasures cannot be lawfully directed against this State.

[L10] The retaliatory measures of State B do not fulfil also other requirements, namely a previous call upon allegedly responsible State to fulfil its obligations, notification and offer for negotiations. Since the very first condition of countermeasures – existence of an internationally wrongful act on side of State C – is not met, it is not necessary to engage in an in-depth analysis of these other requirements.

Relevance of mistake of fact
[L11] The wrongful conduct of State B against State C was a consequence of misattribution caused by the wilful deception orchestrated by State A. Despite the existence of the mistake of fact in this case, conditions of international responsibility of State B are established due to their objective nature. [L12] It is then to be discussed whether the mistake of fact on the part of State B alleviates the wrongfulness of its retaliatory operation against State C. However, mistake of fact does not qualify as a distinct circumstance precluding wrongfulness, nor is it relevant for the invocation of any of the recognized circumstances precluding wrongfulness. It follows that State B is internationally responsible for the retaliatory operation against State C, even if it acted in error.

[L13] The wrongfulness of the retaliatory operation of State B against State C is not precluded by any circumstance precluding wrongfulness. Therefore, the conduct of State B constitutes an internationally wrongful act.

Checklist

 * Sovereignty:
 * Does the conduct of State A amount to a breach of sovereignty of State B?
 * Does the conduct of State B amount to a breach of sovereignty of State C?
 * Prohibition of intervention:
 * Does the conduct of State A or State B amount to a violation of the prohibition of intervention under international law?
 * False-flag operation:
 * Did State A coerce State B to engage in retaliation against State C?
 * Did State A aid or assist State B in retaliation against State C?
 * Did State A control State B with respect to retaliation against State C?
 * Countermeasures:
 * Is State B applying countermeasures in response to a prior internationally wrongful act of the responsible State?
 * Do the measures taken by State B meet the conditions prescribed for the lawful resort to countermeasures under international law?
 * Are the retaliatory measures directed against the State to which the internationally wrongful act can be attributed?
 * What is the relevance of mistake of fact?
 * Circumstances precluding wrongfulness
 * Are the conditions of any of the circumstances precluding wrongfulness met?
 * Does error or mistake of fact qualify as or is relevant for any of the circumstances precluding wrongfulness?

Bibliography and further reading

 * Christian Dominicé, ‘Attribution of Conduct to Multiple States and the Implication of a State in the Act of Another State’ in James Crawford and others (eds), The Law of International Responsibility (OUP 2010).
 * François Delerue, Cyber Operations and International Law (CUP 2020).
 * James Crawford, State Responsibility: The General Part (CUP 2013).
 * James Crawford, ‘State Responsibility’ in R Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008).
 * Jutta Brunnée, ‘Sic utere tuo ut alienum non laedas’ in Rüdiger Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008, updated March 2010)
 * Kristin E. Heckman and others, Cyber Denial, Deception and Counter Deception: A Framework for Supporting Active Cyber Defence (Springer 2015) - addressing deception as a strategy and technical method of resisting and eliminating cyber intrusions.
 * Marco Roscini, ‘Evidentiary Issues in International Disputes Related to State Responsibility for Cyber Operations’ (2015) 50 Texas International Law Journal 1.
 * Michael N Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017).
 * Michael N Schmitt, ‘'Below the Threshold' Cyber Operations: The Countermeasures Response Option and International Law’ (2014) 54 Virginia Journal of International law 1.
 * Robin Geiss and Henning Lahmann, ‘Freedom and Security in Cyberspace: Shifting the Focus Away from Military Responses Towards Non-Forcible Countermeasures and Collective Threat-Prevention’ in Katharina Ziolkowski (ed), Peacetime Regime for State Activities in Cyberspace (NATO CCD COE 2013)



Contributions

 * Scenario by: Petr Stejskal & Martin Faix
 * Analysis by: Petr Stejskal & Martin Faix
 * Reviewed by: François Delerue and Anna-Maria Osula