Scenario 02: Cyber espionage against government departments

A military unit of State B conducts a cyber espionage operation against State A’s Ministry of Foreign Affairs and its subordinate organizations. The data obtained in this operation is later published on the Internet by State B. The analysis considers whether State B’s operation violated sovereignty, the prohibition of intervention, and diplomatic and consular law.

Keywords
Attribution, peacetime cyber espionage, diplomatic and consular law, prohibition of intervention, sovereignty, privacy

Facts
State A discovers that an email server and several other servers belonging to its Ministry of Foreign Affairs (MFA) have been infiltrated. Initially, the attackers are not identified. Investigation shows that the attackers gained access to the email server by obtaining passwords of several consular officers at State A’s missions abroad through spear phishing and fake log-on websites (incident 1).

After gaining access, the intruders escalated account privileges and moved laterally through the network, which includes servers located both within State A's territory and on diplomatic and consular premises abroad. Within a few days, they gained access to additional MFA network servers and services provided in various countries abroad. They had access to data of various MFA personnel including senior officials for several months (incident 2).

A large amount (over 10 GB) of unclassified data on MFA servers was exfiltrated, even though it is not immediately clear what precise data was affected by the incident (incident 3). No data was destroyed or encrypted and no services were affected during the attack.

Nobody claims responsibility for the attack immediately after the MFA's discovery of the incident and publication of the fact that it has occurred. However, a few days later, emails, procurement documents, and internal memos belonging to the MFA of State A are published on the Internet (incident 4).

Multiple evidence points to State B:
 * Technical investigation revealed the malware used by attackers in this case. The same malicious code was employed in the past during multiple campaigns by an entity affiliated with a military unit of State B. One of those campaigns was targeted against State C’s MFA.
 * Earlier on, head of an allied intelligence service in State C had publicly accused State B of a cyber espionage campaign conducted by the state military unit against State C’s MFA.
 * The attackers used tactics, techniques and procedures (TTPs) very similar to those observed in other attacks publicly attributed to State B by multiple countries including State A allies. Mimicking TTPs is much more difficult than tampering other technical evidence.
 * Judging by the nature and content of the compromised data and by persons that were apparently of particular interest to the attackers, analytical unit indicated State B as a logical and the most probable perpetrator of the attack against the MFA.
 * State A intelligence service sources confirmed that State B institutions possessed information that were based on State A MFA’s internal data.

Both State A and State B are parties to the Vienna Convention on Diplomatic Relations (VCDR) and the Vienna Convention on Consular Relations (VCCR).

Examples

 * APT-29 attacks on ministries (2016-2017)
 * Office of Personnel Management data breach (2015)

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

The legal analysis focuses on a number of relevant international legal rules, including the obligation to respect the sovereignty of other States, the prohibition of intervention, inviolability under diplomatic law and privacy rights.

Attribution
The military unit of State B qualifies as an organ of that State. As such, its relevant conduct is directly attributable to State B. The following analysis proceeds on the assumption that all activities described in the scenario (incidents 1–4) were conducted by the said State B’s military unit and are attributable to it.

Diplomatic and consular law
In incident 1, by gaining access to the official email accounts of several consular officers of State A, State B ran afoul of the inviolability of official correspondence under diplomatic and consular law. The lateral movement (incident 2) and exfiltration of data (incident 3) are just further steps in the illegal activity of State B, at least to the extent that the hacked accounts and servers contained data pertaining to State A’s diplomatic missions and consular posts, irrespective of their location. As a matter of fact, international law grants the inviolability of any official correspondence related to the missions and its functions.

Incident 4, wherein the data was published on the Internet, raises the question whether the published materials are still protected by international law under diplomatic and consular law. This issue is unsettled in the present state of the law. One view, endorsed by a majority of the experts drafting the Tallinn Manual, is that inviolability no longer applies to data that has been made public, as it is “not confidential as a matter of fact”. By contrast, others believe that the duty to respect the inviolability of the materials in question continues to apply in such cases. The primary reason for this view is that the duty of inviolability covers the protected materials “wherever they may be”, which therefore includes even the public domain.

Nonetheless, there may be aspects of the right to privacy in the context of international human rights law which are violated by the publication of the consular officers' and other MFA personnel's personal details and additional information associated with their emails.

Sovereignty
Whether State A's sovereignty was violated in incidents 1–3 depends on whether the espionage operation was fully conducted from outside of State A’s territory, or whether a part of it was conducted by operators physically located in State A’s territory. In the latter case, the operation could be considered a violation of sovereignty, and hence State B’s breach of its corresponding international obligation (option 1 above). As for a possible interference with data or services that are necessary for the exercise of "inherently governmental functions", the data was merely copied by the adversary, not destroyed or modified, and the services kept working during the espionage operation.

Taken separately, the publication of the acquired data (incident 4) would not violate the sovereignty of State A. Had the published information been classified in State A, then the publication is likely illegal according to State A’s domestic law; State A can also be party to international agreements which regulate the transfer of its classified information to third parties, which may create obligations for third States with regard to this information.

Prohibition of intervention
In the present scenario, prohibited intervention could also be a relevant qualification. The incidents encroach on State A’s external affairs which are the sole prerogative of State A. However, incidents 1–3 do not contain the element of coercion, because they are conducted merely with the aim to gather information, which does not compel State A to adapt the conduct of its external affairs.

As for incident 4, if it can be attributed to State B, it is coercive in the sense that it has the potential to cause State A to adapt its external (and internal) affairs based on the published information and to contain the relevant political damage. It may be harder for State A to ascertain the intent of State B, which might have had no particular outcome in mind, apart from causing mischief. This might also pose an issue for establishing the causal nexus between State B’s activity and the resulting reaction by State A: the causality might not be deemed direct enough.

Espionage
As this overview demonstrates, the mere characterization of a cyber operation as amounting to cyber espionage is not conclusive as to the question of its lawfulness under international law. Reference must be had to specific rules of international law, which may be breached by the operation in question in its specific circumstances (see especially Sovereignty and Prohibited intervention above). It may be noted that there is a view that acts of espionage represent a customary exception to the relevant prohibitions. However, this interpretation would amount to the establishment of a novel circumstance precluding wrongfulness, for which there is no evidence in international law. Accordingly, the lawfulness of incidents 1–4 therefore must be assessed with reference to other applicable international legal rules.

Checklist

 * Do the affected materials come under the duty of inviolability of documents and archives of diplomatic missions and consular posts?
 * Do they implicate the right to privacy of affected personnel?
 * Does the exfiltration and publication of data violate the sovereignty of the victim State?
 * Does the exfiltration and publication of data amount to a prohibited intervention?
 * Is the fact that part of the operation is cyber espionage an important circumstance for the il/legality of the operation? If so, to what extent?

Bibliography and further reading

 * [TBC]

Contributions

 * Scenario by: Taťána Jančárková & Tomáš Minárik
 * Analysis by: Tomáš Minárik
 * Reviewed by: [TBC]