Scenario 07: Leak of State-developed hacking tools

This scenario deals with the leak of State-developed hacking tools, software companies not being informed of the vulnerabilities to their products, and the repurposing of the hacking tools for criminal purposes. The legal analysis deals with due diligence, the obligation to respect sovereignty, and the prohibition of intervention.

Keywords
Exploits and vulnerabilities, sovereignty, prohibition of intervention, due diligence

Facts
A website appears on the Internet, offering the sale of various hacking tools, including zero-day vulnerabilities, spyware, and ready-made exploits. The sellers allege that all of the tools on offer had been developed by State A’s intelligence services (incident 1). Independent security researchers confirm that the advertised tools indeed resemble a number of different tools previously used in cyber operations in which State A had been implicated.

Software companies whose products are said to contain the vulnerabilities launch a formal protest with State A for not having informed them of the existence of those vulnerabilities, before and especially after the leak (incident 2).

The tools are later repurposed by State B’s military unit and used in a ransomware campaign, causing substantial losses globally, including paradoxically in State A. In particular, the spread of the ransomware results in the encryption of data in several of State A’s public information systems (incident 3). The facts as stated above have been verified by independent security researchers.

Similar real-world incidents
The Shadow Brokers (2017)

WannaCry (2017)

NotPetya (mock ransomware) (2017)

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

The legal analysis is divided into four parts: the first two parts discuss the responsibility of State A due to a breach of due diligence obligation and the second two parts deal with the responsibility of State B for a violation of sovereignty and prohibited intervention based on the ransomware campaign.

Attribution to State A
Internationally wrongful acts of States may consist of actions as well as of omissions. However, whether there is an omission relevant for the purposes of attribution is intertwined with the existence of a concomitant international obligation and, therefore, with the identification of a subject by which this obligation is owed. It is in this sense that the failure of State A to prevent the theft of its tools (incident 1) and to report the existence of specific vulnerabilities to software manufacturers (incident 2) must be assessed.

Attribution of incident 3 to State A is not realistic. State A would only be responsible for the conduct of State B’s military unit if the unit was placed at the disposal of State A and acting in the exercise of elements of the governmental authority of State A (see attribution).

Due diligence
(1) As such, the leaking of the hacking tools and not informing the software manufacturers (incidents 1-2) from State A could be contrary to the rights of third States, because it makes their cyber infrastructure more vulnerable to malicious activities. However, the leaking is a fairly remote cause of the malicious activities, because an intervening act of a malicious actor is required; it is questionable whether the consequence can still be attributed to State A.

(2) The leak utilised the computer systems (cyber infrastructure) of State A. However, it is questionable if the leak itself is the harmful activity: rather, the abuse of the hacking tools is. Nevertheless, even if cyber infrastructure is interpreted broadly to include software such as some of the hacking tools originally developed by State A, these tools were nonetheless no longer under the sole control of State A when they were repurposed and used to cause harm to third parties.

(3) If State A purposefully transferred their hacking tools to a third party, be it a State or a non-State actor, it could be responsible for further operations utilizing the hacking tools only if strict attribution conditions were met – for instance, if State A also exercised direction and control over the non-State actor.

(4) The leak led to substantial losses, which might qualify as “serious adverse consequences” if they cause, for instance, serious disruptions of societal functions, but again, the leak is causally remote from these consequences.

(5) State A knew about the leak. The scenario does not say since when exactly, but it is assumed that State A knew at the latest when the origin of the hacking tools was confirmed by independent researchers.

(6) State A did not inform the software manufacturers, which could have mitigated the consequences. This was an omission on its part.

In sum, it would be difficult to determine a breach of a due diligence obligation by State A. The major stumbling blocks are the absence of an unqualified international obligation not to transfer State hacking tools to third parties (condition 3), remoteness of the causality (conditions 1 and 4), and the uncertainty about the seriousness of the adverse consequences (condition 4).

Attribution to State B
Incidents 1-2 are not attributable to State B – there is no indication of State B’s involvement in the leak of vulnerabilities. Incident 3 (ransomware campaign) is attributable to State B, because the operation was conducted by one of its military units, which qualifies as an organ of that State. Whether incident 3 potentially amounts to a breach of State B’s international obligations depends on the following considerations:

State B’s obligation to respect the sovereignty of State A
Applying these considerations to the present case, it is crucial to note at the outset that State B’s ransomware campaign was not conducted from State A’s territory and that it did not cause physical consequences, despite having resulted in significant economic losses. Therefore, neither of options 1 and 2 above appears to have been met in this scenario. However, the cyber operations did cause a loss of functionality of many computer systems, including in State A, which is relevant for option 3 above. Additionally, inherently governmental functions might have been interfered with (option 4 above), although the information about State A’s public information systems is not detailed enough to conclude what their function was. In sum, there is some evidence, albeit not conclusive in nature, which suggests that State B may have violated its obligation to respect the sovereignty of State A.

Prohibited intervention by State B
One possible interpretation is that State B attempted to coerce State A into transferring money to State B in order not to lose public data. Also, the domaine réservé of State A was affected, because its sovereign right to determine how to spend its funds was breached by State B, and therefore, State B engaged in prohibited intervention in State A.

Alternatively, it can be argued that this is too literalist a view of the conditions; economic coercion of this scale is usually insufficient to constitute prohibited intervention. Moreover, compared to the economic losses caused by the incidents, the collected ransom was likely negligible. Also, States are not very likely to pay the ransom, which further undermines the argument that the acts were coercive, rather than disruptive.

In sum, absent the information about State B’s motivation, it is difficult to label the operation coercive.

Checklist

 * Due diligence: In what circumstances would a State violate international law if it transferred the hacking tools to a non-State actor on purpose?
 * Due diligence: Are State-developed hacking tools “cyber infrastructure” of that State, even if they are used outside its territory and without its control?
 * Due diligence: How proximate is the causal link between the stealing of the hacking tools and the consequences caused by their use?
 * Due diligence: Did the incident lead to “serious adverse consequences”?
 * Due diligence: Since when did the potentially responsible State know about the incident?
 * Due diligence: Did the potentially responsible State take all feasible measures to put an end to the malicious cyber activities?
 * Sovereignty: Did the incident cause a permanent loss of functionality of computer systems?
 * Sovereignty: Did the incident interfere with inherently governmental functions?
 * Prohibition of intervention: Did the potentially responsible State coerce the victim State to change its free decision about its internal or external matters by asking for ransom for the affected government systems?

Bibliography and further reading

 * MN Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017)
 * Etc.

Original text by: Tomáš Minárik

Reviewed by: Kubo Mačák