Scenario 04: A State’s failure to assist an international organization

An international organization falls victim to cyber attacks, the impact of which could and should have been averted by the host state. The scenario explores the obligation of due diligence on the part of the host state and whether and under what circumstances the international organization may resort to countermeasures.

Keywords
Countermeasures, international organisation, legal personality, malware

Facts
[F1] The regional headquarters (RHQ) of the international organization Z is located in State A, which is also a Member State of the organization. The status of the RHQ is governed by a host agreement between State A and organization Z. The agreement establishes, among other things, (1) a scheme of regular monthly payments by organization Z to State A in return for the provision of communications, security, and other services; and (2) a duty of State A to “render all practicable assistance to [organization Z] in the fulfilment of its functions, including […] the provision of security of communications and information systems”.

[F2] In the meantime, security researchers at a government CERT in State B, which is not a Member State of organization Z, discover a large-scale APT attack that targets several public and private institutions in various countries. After they determine that the computer network of organization Z’s RHQ in State A has also been compromised, they submit a confidential report of their findings to the CERT in that State including recommendations of specific measures to be taken.

[F3] Several days later, key systems of RHQ computer network cease to operate due to data encrypting ransomware and it is later confirmed that the malware does not actually preserve the encryption key and that therefore all encrypted data has been irretrievably lost.

[F4] The fact that many RHQ staff have been locked out of their devices, combined with the loss of data, means that the international organization experiences a significant disruption to its activities in the entire region. The independent confidential report is soon leaked to the press, exposing State A as having left the organisation “at the mercy” of foreign hackers.

[F5] Aggrieved by these revelations, the organization ceases all payments to State A and issues a public statement noting that it does not intend to reinstate the payments until the State compensates it for all damage incurred by the cyber attack and provides credible reassurance that an incident of this kind will not happen in the future. The origin of the attack remains unknown.

Examples

 * NotPetya (2017)
 * WannaCry (2017)
 * African Union headquarters hack (2018)
 * African Union headquarters hack (2020)
 * Pfizer/BioNTech vaccine data modification and leak (2020)

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The analysis in this scenario first considers whether State A violated any of its international obligations owed to international organization Z. In the second section, it zones in on the question whether the measures the organization took in response can be qualified as lawful countermeasures against State A.

Breach of obligations owed to international organizations
[L2] It has long been established that international organizations may possess legal personality under international law. Those that do, qualify as subjects of international law and are therefore capable of possessing international rights and duties. In specific circumstances, States may dispute whether a particular organization possesses legal personality. However, given that in the present scenario, State A is a member of the international organization Z which has its own regional headquarters to fulfill its own functions, the legal personality of organization Z is at least implicitly recognized by State A. Similarly, the fact that State A concluded the host agreement with organization Z suggests that it recognizes the latter's legal personality. [L3] There is no general rule of international law that would specifically prohibit interference with the cyber infrastructure of an international organization. Cyber operations against the infrastructure of an international organization located in the territory of a particular State may simultaneously infringe international legal rights of that State, which then becomes entitled to respond to the breach. However, that solution is manifestly not available in a situation where the potentially responsible party is the territorial State itself—as in the present scenario. In other words, a specific obligation owed by the State to the organization must be identified.

[L4] An obligation of this kind may arise from an international treaty between a State and an international organization. State A is indeed under the duty to “render all practicable assistance to [organization Z] in the fulfillment of its functions, including […] the provision of security of communications and information systems”, an obligation paralleled in other existing host agreements.

[L5] Firstly, the obligation of State A to provide all practicable assistance to international organization Z is an obligation of conduct and not of result. State A is thus not responsible for the fact that negative consequences had materialized in the form of the loss of data and the need to repair the attacked cyber infrastructure belonging to organization Z. Whether a State’s actual conduct corresponds with that required by an obligation of conduct is determined by reference to the criterion of due diligence. Accordingly, the State’s failure to act on the report in any way whatsoever is legally relevant. Irrespective of the factual consequences of the State’s conduct, it will be in breach of its obligation if its actual conduct does not correspond to the conduct required by the obligation.

[L6] Secondly, it must be assessed whether State A had actual or constructive knowledge that would have prompted it to take necessary action to provide practicable assistance. The mere fact that State A was informed by the CERT in State B of the risk that malicious actors may soon seize control over the computers in the regional office is not sufficient to establish the knowledge. It is possible, and even reasonably expected, that State A needed time to verify the accuracy and credibility of the information provided by the CERT in State B. Depending on the structure of information flow within State A, it may take several days or even longer for the particular report to be processed. However, after the incident has occurred, State A cannot claim the lack of knowledge as a justification for failing to provide practicable assistance as required under the attendant circumstances.

[L7] Thirdly, although the extent of required conduct will vary from case to case, State A is required to take feasible action to assist organization Z in the fulfillment of its functions. For example, State A could have provided organization Z with a back-up computer system to restore the functionality of computer network in cases where key systems failed to operate for any reason. After the incident has taken place, it is also reasonable to expect State A to provide additional resources to restore the computer network necessary for organization Z to perform its functions. However, whether these actions are indeed feasible must be assessed reasonably on a case-by-case basis in light of all attendant circumstances.

[L8] Applied to the present scenario, the above considerations suggest that State A is unlikely to have met the standard of due diligence against which its compliance with the obligation to render all practicable assistance is measured. As such, State A would have violated its obligation owed to international organization Z under the host agreement. Moreover, this violation would have been of a continuing character, persisting for as long as State A’s inaction inconsistent with its international obligations continued.

Countermeasures by international organizations
[L9] This section focuses on the question whether, and to what extent, international organization Z may respond to the breach of the host agreement by State A by taking measures that would otherwise be unlawful under international law. Conversely, it does not consider the related question of suspension or termination of treaty relations between State A and international organization Z on account of a supposed material breach of the host agreement.

[L10] To begin with, it follows from the fact of an international organization’s legal personality that if its rights had been infringed by another subject of international law, the organization must have the right to invoke that subject’s international responsibility. In particular, the organization may demand the cessation of the internationally wrongful act as well as reparation for the injury suffered. However, it is not universally accepted that an international organization may resort to countermeasures in order to procure such cessation and/or reparation. Those who object against such capacity on part of international organizations under the extant international law point to the absence of practice in the area. However, in the decentralized international legal order, the right to invoke the responsibility of other subjects must entail the right to resort to the permissible means of enforcement that have evolved under international law. To hold otherwise would be to deprive international organizations of the ability to effectively protect their rights and thus to nullify the legal effect of their legal personality. The view that international organizations may take countermeasures is additionally supported by the International Law Commission and several international organizations and States.

[L11] The interruption of payments owed to State A under the terms of the host agreement amounts to a clear breach of organization Z’s international obligations. In order for this conduct to be considered a countermeasure and, as such, internationally lawful, several conditions must be fulfilled.

[L12] In particular, the injured international organisation must first call upon the responsible party to fulfil its obligations of cessation and reparation, and it must notify the latter of its intention to take countermeasures, while offering to negotiate (condition 1); any countermeasures taken must comply with the principle of proportionality (condition 2); they must be, as far as possible, temporary in nature and terminate as soon as the responsible party has fulfilled its relevant obligations (condition 3); and they must not violate obligations under peremptory norms of general international law (condition 4).

[L13] In the present case, condition 1 appears not to have been met: international organization Z would have been advised to communicate its demands and intentions to State A prior to interrupting the payments required under the host agreement. Exceptionally, the injured party may dispense with the notification requirement and take “urgent countermeasures”, but this exception is limited to those measures that are necessary to preserve that entity’s rights. No such urgency seems to be substantiated under the terms of the scenario. Moreover, the UK Attorney General has recently suggested that the notification requirement may not apply in the cyber context if it entailed the exposition of “highly sensitive capabilities in defending the country”. Whatever the status of this supposed additional exception under international law, it would clearly be inapplicable to the present set of facts.

[L14] Condition 2 requires that any countermeasures taken must be commensurate with the injury suffered, taking into account the gravity of the internationally wrongful act and the rights in question. This requirement of proportionality does not imply that the response must be equivalent, reciprocal or even in-kind: “[n]on-cyber countermeasures may be used in response to an internationally wrongful act involving cyber operations, and vice versa”. In the present case, international organization Z would likely be able to make a solid case that the measures it took in response were proportionate to the injury suffered. This is because until the effects of the malicious cyber operation against it are remedied, the organization will not be able to resume its activities. Accordingly, the cessation of payments to State A for the provision of communications, security, and other services appears to be directly tied to the rights infringed and not excessive to what is needed for the vindication of those rights. As such, the measures taken by Z can be considered as compliant with the criterion of proportionality.

[L15] Condition 3 requires that countermeasures must be terminated as soon as the responsible party has complied with its cessation and reparation obligations. In this regard, the statement by international organization Z seems to closely follow the relevant legal requirements. As noted above, at that time, State A’s inaction qualified as a breach of its international obligations having a continuing character. Suppose that State A would subsequently agree to provide adequate reparation by, for example, repairing the damaged cyber infrastructure, paying appropriate compensation, and introducing effective measures to avoid the repetition of similar incidents. In that case, any countermeasures would no longer be justified and international organization Z would have to resume all its duties under the host agreement.

[L16] The described countermeasures do not violate obligations under peremptory norms (condition 4).

[L17] In conclusion, although organization Z was in principle entitled under international law to resort to countermeasures, under the circumstances of the present scenario, the cessation of payments to State A did not meet one of the necessary criteria (condition 1 above) and as such it amounted a violation of international law by the organization.

Checklist

 * Does the international organization in question possess international legal personality?
 * Does the constituent instrument of the international organization contain any relevant duties owed to it by its member States?
 * Do the relevant obligations qualify as obligations of conduct or result?
 * Would the measures taken in response by the international organization amount to a breach of its obligations to the acting State?
 * Can the measures taken in response be qualified as lawful countermeasures against the acting State?

Bibliography and further reading

 * Frederic Dopagne, ‘Sanctions and Countermeasures by International Organizations’, in Richard Collins and Nigel White (eds) International Organizations and the Idea of Autonomy (Routledge 2011).
 * Joanna Kulesza, Due Diligence in International Law (Brill 2016) 266.
 * Michael N Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017).
 * Nigel White, The Law of International Organizations (Juris 2005).
 * Rüdiger Wolfrum, ‘Obligation of Result Versus Obligation of Conduct: Some Thoughts About the Implementation of International Obligations’ in MH Arsanjani and others (eds), Looking to the Future: Essays on International Law in Honor of W. Michael Reisman (Brill 2010).

Contributions

 * Scenario by: Taťána Jančárková & Kubo Mačák
 * Analysis by: Kubo Mačák
 * Reviewed by: Hitoshi Nasu; Petr Novotný