Scenario 17: Collective responses to cyber operations

A State falls victim to a wide range of cyber operations and asks its allies for help. Specifically, the State wants its allies to collectively and publicly attribute the cyber operations to the perpetrator State, to implement travel bans and asset freezes against the individual perpetrators and to undertake collective countermeasures against the responsible State to induce it to cease the cyber operations. The scenario explores the legality of these collective responses to cyber operations from the perspective of international law.

Keywords
Countermeasures, collective countermeasures, targeted restrictive measures, retorsion, erga omnes obligations, prohibition of intervention, sovereignty, attribution

Facts
[F1] State A is a middle-income developed country in the western hemisphere. It has a growing technology sector and its “Digital Agenda 2030” development plan foresees, among other objectives, the digitalization of public services, investment in the digital economy and setting up of a cyber defence force by 2030. However, the cyber defence force is not yet operational and State A’s abilities to detect, attribute and respond to cyber operations remain limited. In this regard, State A relies on the assistance of its allies from the intergovernmental organization Union of States (“UoS”). The founding treaty of the UoS includes mutual assistance and defence obligations.

[F2] State A suffers a prolonged series of cyber operations against its critical infrastructure. A ransomware campaign affects the functioning of public hospitals, public transport (including municipal and long-distance trains) and various governmental services, such as the functioning of court electronic filing systems '''(incident 1). '''The ransomware makes it necessary to postpone planned operations in some hospitals and delays the running of suburban trains in the capital.

[F3] On the first day of the cyber operations, State A acquires the services of a private cyber security company. The forensic analysis conducted by the company suggests a high likelihood that the cyber operation has been conducted by an APT which is commonly identified with a unit of State B’s armed forces specialized in cyber warfare. This is corroborated by State A’s intelligence service as well as the intelligence services of several UoS Member States. State B is not a member of the UoS.

[F4] In an emergency meeting of the UoS Council, State A asks the UoS Member States for assistance. In particular, it asks its allies to:  publicly and collectively attribute the cyber operations to State B (response 1); introduce targeted restrictive measures (asset freezes and travel bans) against the identified perpetrators of the cyber operations (response 2) and conduct offensive cyber operations against State B’s cyber infrastructure used in the attacks against State A in order to degrade and destroy State B’s offensive cyber capabilities and induce State B to cease its actions (response 3). 

Examples

 * Texas Municipality ransomware attack (2019)
 * SamSam ransomware attack (2018)
 * NotPetya (2017)
 * WannaCry (2017)
 * Sony Pictures Entertainment attack (2014)
 * Cyber attacks against Estonia (2007)

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The analysis in this scenario focuses on the legal qualification of State responses to cyber operations from the perspective of international law. It reflects already existing examples and scenarios to examine how to qualify responses 1-3 and whether such responses may be taken by States other than the State, which is the primary target of the relevant conduct. The analysis is restricted to general international law and does not take into account mutual defense and/or assistance obligations, which may exist between the UoS Member States and could influence their legal obligations and standing to take action in a real-world scenario.

[L2] The type of response which States are entitled to undertake under international law will depend on four key factors:
 * attribution;
 * the legal qualification of the hostile cyber operation which gave rise to the decision to respond;
 * the legal qualification of the response action; and
 * whether the responding State is entitled to invoke the international responsibility of the State from whose territory the initial cyber operation was launched.

Attribution
[L3] As the APT is a military unit of State B and the military is an organ of the State, the hackers’ conduct is attributable to State B under the customary rules on State responsibility, as reflected in Article 4 of the Articles on State Responsibility.

Breach of an international obligation
[L4] This section considers whether the cyber operations are a breach of an international obligation—specifically, the prohibition on the use of force, the prohibition on intervention and the obligation to respect the sovereignty of other States.

Use of force
[L5] It is unlikely that the ransomware attacks (incident 1) constitute a use of force. Given the absence of direct physical damage, the ransomware attacks would arguably need to fulfil the criteria listed above to be considered comparable to the use of kinetic force. This is not the case here. The effects of the ransomware attack – the postponement of operations in hospitals, delays in public transport and the inability to electronically file court cases – would most likely not be severe enough to equate with a physical use of force against these targets, given that the malware affects the availability and integrity of a system, but typically does not leave lasting physical damage to the affected computer systems. Furthermore, the direct consequences of the ransomware are economic in nature – leading to system outages and the need to spend resources to clean the affected systems – rather than physical. Moreover, neither the intended target, nor the circumstances prevailing at the time of the attacks, nor the actual or intended effects point to a military character of the cyber operation.

Prohibition of intervention
[L6] There is no suggestion in the scenario that the cyber operations in any way involved the external affairs of State A. However, certain effects of the ransomware implicate the domaine réservé of State A, in particular the capability of offer governmental services to the citizens of State A.

[L7] Nevertheless, the cyber operations were not sufficiently coercive in nature in the sense of having the potential to impermissibly interfere with the free exercise of the sovereign will of State A. Firstly, there is no indication in the available evidence that the ransomware attacks were conducted with the intent to force State A to take – or abstain from taking – a particular decision. Secondly, while the cyber operations affected governmental services offered to citizens and had a negative impact on the functioning of those services through the encryption of computer systems on which the services run, they did not compel State A to refrain from taking certain actions or to adopt certain positions against its will. Moreover, although it seems possible that a large-scale cyber operation against critical infrastructure abroad could have the potential to compel the victim State to take (or refrain from taking) a particular course of action against its will, the ransomware attacks described in incident 1 arguably do not show this potential due to their fragmentary and localized character.

[L8] In consequence, there was no prohibited intervention into the internal affairs of State A.

Obligation to respect the sovereignty of other States
[L9] This analysis proceeds on the basis that the obligation to respect the sovereignty of another State is a rule of international law applicable to cyberspace. Accordingly, under the test proposed by the Tallinn Manual, sovereignty is breached – among other grounds – when a cyber operation either causes a loss of functionality of cyber infrastructure (option 3 above) or interferes with or usurps inherently governmental functions (option 4). The ransomware attacks (incident 1) resulted in severe losses of functionality of the targeted systems. Public hospitals, transportation and governmental services were not able to function properly, which resulted in further financial losses. Moreover, the functioning of the courts is an inherently governmental function (i.e., the administration of justice). Therefore, the effects on governmental services amounted to an interference with inherently governmental functions of State A.

[L10] In conclusion, on the “sovereignty-as-rule” approach, State B’s actions would have violated the obligation to respect State A’s sovereignty in cyberspace.

Permissible responses
[L11] To conform with the law of State responsibility, measures taken by States in response to cyber operations must either not violate any applicable international legal rule (and therefore qualify as retorsions) or, if they do violate a rule of international law, such as the principle of non-intervention or the prohibition of the use of force, they must be justifiable on one of the grounds precluding wrongfulness, such as countermeasures.

Collective attributions
[L12] It is necessary to distinguish attribution in the legal sense, signifying attribution of a specific act or omission to a State for the purposes of inducing international responsibility, from the political act of attribution, which is a policy consideration whereby the decision is made to attribute a specific cyber operation to an actor without necessarily attaching legal consequences to the decision. Such political attributions by individual States can take many forms, for instance criminal indictments, economic sanctions, technical alerts or official statements.

[L13] States can – but are not obliged to – take the decision to collectively attribute actions to another State. They may be regarded by the State to which a cyber operation has been attributed as an unfriendly act, but as they are of a political nature, such statements in principle do not violate any international legal obligations and therefore can be qualified as retorsions. As such, international law does not impose any restrictions on States wishing to act individually or collectively to react by way of retorsion against a wrongdoing State.

[L14] In consequence, the collective political attributions contemplated by the UoS Council (response 1) would not breach any international obligation and would therefore be permissible as acts of retorsion against State B.

Targeted restrictive measures
[L15] In the present scenario, the travel bans and asset freezes contemplated by the UoS Council (response 2) would constitute targeted restrictive measures. Since such measures interfere with the subjects’ property rights, they have to conform with the implementing States’ obligations under human rights and other treaties (for instance bilateral investment treaties). However, without further information, nothing in this scenario indicates that rights granted to individuals by virtue of a treaty or customary international law would be affected. Therefore, they are permissible under international law and may be taken either by State A individually or by a group of UoS Member States collectively.

Offensive cyber operations as collective countermeasures
[L16] Offensive cyber operations which degrade and destroy another State’s offensive cyber capabilities may constitute a violation of sovereignty and thus an internationally wrongful act, as they lead to a loss of functionality of that State’s cyber infrastructure (see also paras L8–L9 above). In consequence, they are only permissible if they can be qualified as countermeasures and comply with the requisite conditions under the law of State responsibility (including necessity, proportionality, not amounting to a breach of an erga omnes obligation, etc.).

[L17] It is debatable whether international law currently permits States other than an injured State to take countermeasures in order to induce a responsible State to comply with its obligations. While it might be argued that international law has indeed evolved to permit such collective countermeasures, it is widely understood that non-injured States may take action only to induce compliance with obligations that are owed to a group of States and established to protect a collective interest or erga omnes, i.e. owed to the international community as a whole. Apart from that, collective countermeasures against breaches of obligations owed to the injured State individually are not permitted and this applies also in the cyber context.

[L18] In consequence, any offensive cyber operations taken by UoS States against State B (response 3) would only be justified as (collective) countermeasures if the prior internationally wrongful act breached an international obligation established for the protection of a community interest and not merely for the protection of an individual interest of a State.

[L19] Examples of protected community interests include common goods in international environmental law, standards of protection for a group of people, especially within human rights law, or international common spaces such as the moon or other celestial bodies. Furthermore, obligations owed to the international community as a whole include the prohibition of aggression and of genocide, protection of basic rights of the human person, including protection from slavery and racial discrimination, the right of peoples to self-determination and fundamental rules of international humanitarian law.

[L20] While incident 1 may have breached the obligation to respect the sovereignty of State A (see para. L9 above), this rule protects individual rights of the affected State, and not community interests. Therefore, offensive cyber operations as contemplated in response 3 would also not serve to enforce community interests; consequently, their wrongfulness would not be precluded as lawful (collective) countermeasures. In consequence, the UoS Member States may not lawfully take measures as contemplated in '''response 3. '''

Checklist

 * Can the cyber operation in question be attributed to a State?
 * Are the authors of the cyber operation State organs?
 * Did the cyber operation constitute a violation of an international obligation?
 * Use of force:
 * What was the severity of the cyber operation?
 * Were the effects of the cyber operation directly connected to the underlying cyber activity?
 * Did the cyber operation have a military character?
 * Prohibition of intervention:
 * Did the cyber operation interfere with the internal or external affairs of State A?
 * Was the cyber operation coercive, i.e., did it have the potential to deprive State A of its freedom of choice concerning its internal or external affairs?
 * Sovereignty:
 * What is the position of the analyst / interlocutor on whether sovereignty is a standalone primary rule of international law?
 * Did the cyber operation result in physical damage or injury on State A’s territory?
 * Did the cyber operation cause a loss of functionality of State A’s computer systems?
 * Did the cyber operation interfere with State A’s inherently governmental functions?
 * What responses are permissible to be undertaken collectively?
 * Are the response measures political acts, such as public attributions?
 * Do the response measures violate any international obligation owed by the responding State(s) to the responsible State?
 * Are the countermeasures aimed at inducing compliance and proportionate?
 * Have the responding States called upon the responsible State to cease the cyber operation in question and given notice of their intent to undertake countermeasures? Or are they acting with urgency to preserve the injured rights?
 * Are the responding States directly affected by the breach of an international obligation by the responsible State or are they acting in support of an injured State?
 * Are the responding States acting collectively and in the community interest to protect an erga omnes norm?

Bibliography and further reading

 * Dennis Broeders, The Public Core of the Internet (Amsterdam University Press 2015).
 * Elena Chachko, ‘Foreign Affairs in Court: Lessons from CJEU Targeted Sanctions Jurisprudence’ (2019) 44 Yale Journal of International Law 1.
 * Martin Dawidowicz, ‘Third-Party Countermeasures: A Progressive Development of International Law? - QIL QDI’ (2016) 29 Questions of International Law 3.
 * Martin Dawidowicz, Third-Party Countermeasures in International Law (CUP 2017).
 * François Delerue, Cyber Operations and International Law (CUP 2020).
 * Carlo Focarelli, ‘International Law and Third-Party Countermeasures in the Age of Global Instant Communication’ (2016) 29 Questions of International Law 17.
 * Eleni Katselli Proukaki, The Problem of Enforcement in International Law (Routledge 2010).
 * Jeff Kosseff, ‘Collective Countermeasures in Cyberspace’ (2020) 10 Notre Dame Journal of International and Comparative Law 1.
 * Jeff Kosseff, ‘Retorsion as a Response to Ongoing Cyber Operations’ in Taťána Jančárková and others (eds), 20/20 Vision: The Next Decade (NATO CCD COE 2020).
 * Przemysław Roguski, ‘Collective Countermeasures in Cyberspace: Lex lata, Progressive Development or a Bad Idea?’ in Taťána Jančárková and others (eds), 20/20 Vision: The Next Decade (NATO CCD COE 2020).
 * Barrie Sander, ‘Democracy under the Influence: Paradigms of State Responsibility for Cyber Influence Operations on Elections’ (2019) 18 Chinese Journal of International Law 1.
 * Michael N Schmitt, ‘Estonia Speaks Out on Key Rules for Cyberspace’ JustSecurity, 10 June 2019.
 * Michael N Schmitt, ‘France’s Major Statement on International Law and Cyber: An Assessment’ JustSecurity, 16 September 2019.

Contributions

 * Scenario by: Przemysław Roguski
 * Analysis by: Przemysław Roguski
 * Reviewed by: François Delerue, Steven Hill, Jeff Kosseff, Mark Norris