Scenario 23: Vaccine research and testing

A major State-run hospital serving as a virus testing and vaccine research facility falls victim to both research espionage and a two-day distributed denial of service (DDoS) attack during a pandemic. Several months of research and clinical trial data is exfiltrated to a neighbouring State. As a result of the DDoS attack, the victim State’s population cannot access information about virus testing availability and cannot obtain test results. The scenario considers attribution of the cyber operations and whether such incidents constitute a violation of sovereignty, a prohibited intervention, a use of force, or a violation of international human rights law.

Keywords
Attribution, sovereignty, peacetime cyber espionage, prohibition of intervention, use of force, international human rights law, DDoS, hospitals

Facts
[F1] State A and State B are suffering from a pandemic caused by a highly communicable, previously unidentified respiratory virus. Common symptoms of the virus include high fever, cough, shortness of breath, and fatigue. Because some infected persons are symptomatic and others are contagious despite appearing asymptomatic, the virus is spreading virtually unchecked. Hospitals are rapidly becoming overwhelmed. The virus’ high mortality rate, if not treated promptly, means both States desperately want to develop an effective treatment for those infected and a vaccine to protect others from becoming ill.

[F2] Over the prior decade, the relationship between States A and B has deteriorated significantly. The recent rise to power of an ultra-nationalist prime minister in State B, unrestrained by a similarly disposed parliament, has worsened the decline in relations. In the last year, State B has frequently accused State A of mistreating its large ethnic minority.

[F3] The largest State-run hospital in State A, which also serves as a vaccine research facility and the primary national virus testing facility, was recently victimized by a pair of hostile cyber operations. Eight months of vaccine research and clinical trial data was copied and exfiltrated (incident 1). Forensic investigators in State A cannot definitively rule-out the possibility that the perpetrator maintains persistent access to the hospital’s information systems. However, investigators conclude, with moderate certainty, that the integrity of the original data remains intact and unchanged. State A appears to still have full, unrestricted access to the research data in its continuing effort to develop an effective vaccine. The operation appears to have been limited to exfiltration of data and, consequently, a loss of confidentiality.

[F4] A two-day distributed denial of service (DDoS) attack left the public unable to access the hospital’s website to obtain information about testing availability and unable to view test results (incident 2).

[F5] Both publicly and through diplomatic channels, State B denies any involvement in the incidents. Despite these denials, State A cybersecurity authorities conclude with a high degree of confidence, based on forensic analysis, that State B is the most probable actor responsible for both the exfiltration of the vaccine research and the DDoS attack. The vaccine research and clinical trial data obtained from State A were exfiltrated to the Ministry of Health in State B. Moreover, the techniques used for both the data theft and the DDoS attack are identical to those employed by State B’s intelligence service in previous cyber operations conducted against State C, an ally of State A.

Examples

 * Brno University Hospital ransomware attack (2020)
 * Pfizer/BioNTech vaccine data modification and leak (2020)

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The analysis in this scenario focuses on three main issues: 1) Whether the cyber operations conducted against State A are attributable to State B; 2) Whether the exfiltration of State A’s vaccine research is an internationally wrongful act; and 3) Whether the DDoS operation against State A is an internationally wrongful act.

Attribution
[L2] Both the cyber espionage operation and the DDoS attack are likely attributable to State B. Admittedly, there is a possibility that this hostile cyber operation was, in fact, a “false flag” operation perpetrated by a third State in such a way as to make it appear State B was responsible. However, in light of the increasingly strained diplomatic relationship between States A and B, the fact that the vaccine research was exfiltrated to the Ministry of Health in State B, and because the techniques employed to conduct both operations comport with those previously used by State B’s intelligence service against State C, State A has a high degree of confidence State B was responsible. State B’s intelligence service is undeniably functioning as part of State B’s central government and thus a State organ the conduct of which is attributable to State B under Article 4 of the International Law Commission’s Articles on State Responsibility. Consequently, the balance of the analysis of this scenario considers whether State B breached its international law obligations either by exfiltrating vaccine research data or by conducting the DDoS operation against the hospital in its capacity as a vaccine research site and as State A’s principal virus testing facility.

Breach of an international obligation
[L3] This section considers whether the cyber espionage and the DDoS attack by State B breach an international obligation owed to State A—specifically, whether State B breached the international law rules prohibiting violations of State sovereignty and intervention into the domaine réservé of another State, perpetrated an unlawful use of force against State A, or violated the human rights of inhabitants of State A.

Obligation to respect the sovereignty of other States
[L4] State B’s DDoS attack (incident 2) violated State A’s sovereignty. Under one view, which is held by a number of states, as well as numerous scholars, a remotely conducted cyber operation breaches the sovereignty of another State if it causes concrete effects within the territory of the victim State. A contrasting view, succinctly expressed by France, is that that a cyber operation penetrating a State’s systems violates that State’s sovereignty even if the cyber operation does not cause concrete effects within victim State territory. One can conclude with a high degree of certainty that, by interfering with the dissemination of virus testing information and test results, State B caused the virus to spread more rapidly among people in State A than it otherwise would have done. The inability of State A’s population to know how and when to schedule testing or to obtain the results of completed tests in a timely manner meant that people were unable to identify themselves as carriers of the virus, were unaware they posed a public health risk, and likely were slow to implement appropriate precautions. That lack of information means persons carrying the virus almost certainly unknowingly spread it to others. Likewise, State A more than likely experienced an increased mortality rate from the virus because the inability of the population to get tested and to obtain test results delayed at least some persons carrying the virus and manifesting symptoms from seeking necessary and proper treatment.

[L5] For this prong of analysis of incident 2, the physical effects must be ascertained and causally linked to the cyber operation. Mere rescheduling of planned surgeries or a minor delay in delivering the test results would be a less serious effect than directly interfering with the immediate delivery of medical care; likewise, the impossibility of testing at one location could simply result in people taking the test elsewhere, so it may be difficult to pinpoint the causal link between the cyber operation and the additional infections.

[L6] There exists some uncertainty whether interference in, or usurpation of, inherently government functions is a relevant test for determining the existence of a violation of sovereignty, even though several States have already made declarations in favour of this interpretation. Applying that analysis to incident 2, State B also breached State A’s sovereignty by interfering with its ability to carry out its inherently governmental function of managing the public health crisis ongoing within its territory. By denying State A’s populace access to critical information about operations at the State’s primary virus testing facility, State B’s DDoS attack interfered with a vital aspect of State A’s plan for managing the health crisis. The act of interfering with State A’s inherently governmental function, wholly apart from whether that interference causes concrete effects to manifest in State A, results in a sovereignty violation.

[L7] As for State B exfiltrating the vaccine research from State A (incident 1), under the facts of this scenario, this likely does not constitute a sovereignty violation. First, State A suffered no damage or destruction to its cyber infrastructure. Second, State B did not, merely by exfiltrating vaccine research, necessarily cause increased spread of the virus or higher mortality rates among those infected with the virus in State A. If, however, State B accessing the clinical trial data caused the clinical trial to fail procedural protocols and need to be restarted, the resulting delay in State A’s vaccine development effort may shift the analysis in favour of a breach of sovereignty. Finally, State B did not impair the ability of State A to perform its inherently governmental functions; in particular its ability to manage the public health crisis within its borders.

Cyber espionage
[L8] State B’s cyber espionage efforts do not per se violate international law. Under the analysis above, remotely-conducted cyber espionage only violates a State’s sovereignty when it either causes concrete effects in the territory of that State—including serious damage to or destruction of cyber systems—or, according to those who hold this view, interferes with that State’s performance of its inherently governmental functions, whether or not such effects result from the espionage activities. Under the facts of this scenario, State B exfiltrating the vaccine research from State A likely does not constitute a sovereignty violation (see para L7).

Economic espionage
[L9] Exfiltrating eight months of vaccine research and clinical trial data from State A may fairly be considered economic cyber espionage of State A’s intellectual property. However, current international law does not prohibit economic cyber espionage. Therefore, attributing the data theft to State B and characterizing incident 1 as economic cyber espionage is insufficient to establish State B’s responsibility under international law. Absent a relevant treaty commitment between State B and State A, State B’s economic cyber espionage does not, itself, violate an international legal obligation binding upon it.

Non-intervention
[L10] The exfiltration of vaccine research by State B (incident 1) lacks the coercive element necessary to qualify as a prohibited intervention. State A retains full, unrestricted access to the research data in its continuing effort to develop an effective vaccine. State A’s ability to continue to execute its crisis response plan, a matter within its domaine réservé, is not adversely impacted by State B copying and appropriating the vaccine data to its own use.

[L11] In contrast, according to the more widely held position, the DDoS attack (incident 2) constitutes an unlawful intervention because it interfered with the crisis response plan developed by State A’s Ministry of Health by rendering the largest and principal virus testing centre in State A unable to perform its intended function as a key component of State A’s plan to manage the public health crisis ongoing in its territory.

Use of force
[L12] Uses of force need neither be perpetrated by the armed forces of a State nor involve the use of kinetic weapons. However, there is no consensus on the precise test or criteria by which to determine whether a particular cyber operation may properly be characterized as a use of force. That said, it is generally accepted that a cyber operation causing injury or death to persons or significant physical damage or destruction of objects qualifies as a use of force.

[L13] The DDoS attack by State B (incident 2) significantly lessened the ability of State A’s population to get tested and to obtain test results. Further, it almost certainly delayed at least some persons carrying the virus and manifesting symptoms from seeking necessary and proper treatment. State B’s conduct likely caused State A to experience increased rates of infection and mortality from the virus than would have been the case otherwise. Those increased rates of infection and mortality are reasonably foreseeable effects of State B’s cyber operation. If persons in State A in fact fell ill or died at any significant scale as a result of the DDoS attack (incident 2), then it may reasonably be characterized as an unlawful use of force against State A by State B. Even if such effects were not manifest and the hostile cyber operation did not qualify as a use of force, similar cyber operations repeatedly demonstrating the capacity to significantly disrupt cyber systems in a way likely to produce concrete effects might cross the Article 2(4) threshold as a threat to use force.

[L14] Even if the DDoS attack (incident 2) by State B qualifies as an unlawful use of force, State A and its allies may not respond in self-defence under UN Charter, Article 51, and its customary international law equivalent unless the DDoS attack is sufficiently grave to amount to an “armed attack.” Even then, a response in self-defence is further limited by the requirements that it be necessary and proportionate. State B was identified as the source of the DDoS attack (incident 2) only after the disruption. Indications that further cyber or kinetic attacks may follow are absent. Thus, it would be difficult for State A to reasonably claim that a use of force in self-defence was necessary to repel an ongoing or imminent attack by State B. State A could, if it chose, call upon the UN Security Council to characterise State B’s conduct as a “threat to the peace” or a “breach of the peace” and prescribe measures under Chapter VII of the UN Charter. Setting aside the prospect of UN Security Council action, it is at least arguably unnecessary to draw a conclusion regarding whether State B’s DDos attack (incident 2) against State A crossed the threshold of violating Article 2(4) of the UN Charter because it breached other applicable international legal rules. Even if international lawyers cannot agree on the precise rule(s) of international law violated by State B’s hostile cyber operations, there is a growing view that State cyber operations causing “significant adverse or harmful consequences for the research, trial, manufacture, and distribution” of vaccines, including “by means that damage the content or impair the use of sensitive research data, particularly trial results, or which impose significant costs on targeted facilities in the form of repair, shutdown, or related preventive activities” violate international law.

[L15] The unilateral responses available to State A under international law for a prohibited use of force—acts of retorsion and countermeasures —are identical to those available in response to other violations of international law.

Due diligence
[L16] In the event that State B denies responsibility or even goes so far as to proffer evidence suggesting that the hostile cyber operations are not, in fact, attributable to it, State B may still be liable for failure to meet its due diligence obligation. Assuming arguendo that State B was not in fact responsible for the hostile cyber operations themselves, it was still under an international legal obligation not to allow its territory and cyber infrastructure under its control to be used to affect State A’s rights and produce serious adverse consequences for State A. To be responsible for failing to meet its due diligence obligation, State B must have had actual knowledge that its territory or cyber infrastructure was being so used, or the facts must be such that State B “in the normal course of events would have become aware.” Assuming it knew or should have known its territory or infrastructure was being used to harm State A, State B was obligated “to take all measures that are feasible in the circumstances to put an end to [the hostile cyber operations].”

International human rights law
[L17] International human rights law (IHRL) is an applicable, and more direct, legal mechanism for vindicating the rights of the individuals (vice the States) harmed by State B’s DDoS attack (incident 2). Although there is no definitive listing of the international human rights regarded as customary, many human rights captured in treaties such as the ICCPR and the ICESCR are considered to reflect customary international law. Numerous treaties, including both the ICCPR and the ICESCR, protect the individual rights to health and life, as does customary international law.

[L18] The international legal obligation to respect individuals’ rights to life and health means States must refrain from conduct that unjustifiably interferes with, or otherwise adversely affects, these rights. The concept of State conduct resulting in an arbitrary deprivation of life arises most apparently in the contexts of domestic law enforcement operations and targeting during armed conflict. However, there is no reason, in principle, why an unjustified State cyber operation adversely impacting the individual human rights to life and health should be beyond the reach of IHRL.

[L19] A threshold issue with which one must grapple in determining the applicability of IHRL to State cyber operations conducted into another State which disrupt individuals’ access to health care services, interfere with the other State’s ability to preserve public health, and increase the rates of infection and mortality, is extraterritoriality. Although the Human Rights Committee has offered a more expansive and controversial conception of extraterritorial jurisdiction based upon a State’s exercise of control over the enjoyment of the right to life, the prevailing view is that human rights treaties apply where either (a) the State against which the IHRL obligation is to be levied controls the territory in which the victim’s rights are violated, or (b) an organ of the State against which the IHRL obligation is to be levied exercises power or control over the individual victim(s). Neither of these circumstances necessarily limits the application of IHRL to within the territorial borders of the acting State. Although not beyond reasonable debate as lex ferenda rather than lex lata, Compare Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’, (2020) 11 J. Nat’l Security L. & Pol’y 247, 264 (stating that “an expansive view of the extraterritorial application of human rights obligations is both desirable and sensible”) and [https://undocs.org/CCPR/C/GC/36 Human Rights Comm. General Comment No. 36], ¶63, CCPR/C/GC/36 (Sep. 2, 2019) (adopting the position that “subject to its jurisdiction” under Art. 2 of the International Covenant on Civil and Political Rights refers not to the exercise of State power or control over the person but rather the exercise of State power and control over the enjoyment of the right to life and that the relevant consideration is direct and foreseeable impact on the right to life, wherever the victim may be located physically) with Bankovic v. Belgium, 2001-XII Eur. Ct. H.R. ¶¶74-82 (refusing to interpret “within their jurisdiction” under Art. 1 of the Convention for the Protection of Human Rights and Fundamental Freedoms to make the Art. 2 right to be free from arbitrary deprivations of life whenever anyone is killed by an act attributable to a State Party, regardless of where in the world the act was performed or its consequences felt) and Matthew Waxman, Principal Deputy Director of Policy Planning, U.S. Department of State, Opening Statement to the U.N. Human Rights Committee on the Report Concerning the International Covenant on Civil and Political Rights (Jul. 17, 2006) (asserting that “it is the long-standing view of the United States that the Covenant by its very terms does not apply outside of the territory of a State Party” and that although the United States is “aware of the views of members of this Committee regarding the extraterritorial application of the Covenant, including the Committee’s General Comment No. 31” the United States “has a principled and long-held view that the Covenant applies only to a State Party’s territory. It is the long-standing view of [the United States] that applying the basic rules for the interpretation of treaties described in the Vienna Convention on the Law of Treaties leads to the conclusion that the language in Article 2, Pargraph [sic.] 1, establishes that States Parties are required to respect and ensure the rights in the Covenant only to individuals who are BOTH within the territory of a State Party and subject to its jurisdiction.”). the customary right to be free from arbitrary deprivations of life may likewise not be constrained in application to the territorial confines of the acting State.

[L20] A State cyber operation conducted into the territory of another State that either directly injures or kills persons or increases the rates of infection and mortality by disrupting access to health care services or interfering with the other State’s ability to preserve public health likely violates the rights to life and health under customary IHRL and, for States Party to an applicable IHRL treaty, also under the relevant treaty or treaties.

[L21] So far, the focus has been on the legality of State B’s activities, but consideration must also be given to whether State A has satisfied its human rights obligations. Article 2(1) of the International Covenant on Political and Civil Rights requires States “to respect and to ensure to all individuals within its territory and subject to its jurisdiction [the right to life].” Article 2(1) of the Convention for the Protection of Human Rights and Fundamental Freedoms also obligates State A to affirmatively take steps to protect the lives of those within its jurisdiction. The latter positive obligation includes both “the duty to provide a regulatory framework; and the obligation to take preventive operational measures” and it applies in various contexts, including that of public health. It is unclear whether State A may bear some responsibility for failing to properly enact cybersecurity standards that could have prevented or minimized State B’s hostile cyber operations and the illness and death caused by them, but the possibility should not be overlooked.

Checklist

 * Sovereignty
 * What is the victim State’s position on whether sovereignty is a primary rule of international law, and if so, the content of this rule?
 * Was the operation: (a) conducted remotely; or (b) conducted from within the territory of the victim State and without its consent?
 * Did the operation cause physical damage, significant loss of functionality, or destruction of cyber infrastructure in the victim State?
 * Did the operation cause damage to or destruction of something other than cyber infrastructure in the victim State?
 * Did the operation, directly or indirectly, cause injury or death to individuals?
 * Did the operation interfere with the victim State performing its inherently governmental functions?
 * Did the operation usurp the performance of an inherently governmental function of the victim State?
 * If the facts support finding a violation of sovereignty, is there a circumstance precluding the wrongfulness of that violation?
 * Prohibition of intervention
 * Did the operation interfere with or usurp a matter unregulated by international law or left solely to the prerogative of the victim State under international law?
 * Did the operation amount to a coercive act, and if so, under what definition of “coercion”?
 * If the facts support finding a violation of the prohibition on intervention, is there a circumstance precluding the wrongfulness of that violation?
 * Use of force
 * Did the operation cause physical effects in the territory of the victim State?
 * If no physical effects manifested in the territory of the victim State, what is the victim State’s position on whether cyber operations not causing concrete effects can qualify as a use of force?
 * If physical effects resulted from the operation, were more than a de minimis number of persons in the victim State injured or killed? Did the operation result in significant physical damage or destruction of objects?
 * Did the effects generated in the victim State result immediately or near immediately from the operation?
 * Are the effects generated in the victim State directly traceable to the operation as the cause?
 * Is the perpetrator of the operation a State organ that might be expected to employ kinetic means typically characterised as a use of force (e.g., armed forces or intelligence agencies)?
 * Is the system targeted in the victim State public (governmental) or private (non-governmental)?
 * Is the scale of the effects generated in the victim State reasonably quantifiable?
 * International human rights
 * Did the operation interfere with an individual right recognized under a human rights treaty to which the States are party or that is recognized by customary international law?
 * Does the State perpetrating the operation control the territory in which the victim’s rights are violated, or does an organ of the perpetrating State exercise power or control over the victim?
 * If the organ of the State perpetrating the cyber operation does not exercise power or control over the victim in a physical sense, does that State organ exercise control over the victim’s ability to enjoy a human right recognized under a human rights treaty to which the States are party or recognized by customary international law?
 * If the operation interferes with an individual right recognized under an applicable human rights treaty or under customary international law, is that interference (a) authorized by a domestic law; (b) undertaken in the pursuit of a legitimate public interest (e.g., national security, public order, or public health) or to protect the rights of others; (c) necessary to achieve that the public interest; and (d) conducted in a manner proportionate to the desired end?
 * Did the victim State fulfil its positive obligations under IHRL (e.g., protecting the right to life of those under its jurisdiction)?

Bibliography and further reading

 * William Banks, ‘State Responsibility and Attribution of Cyber Intrusions After Tallinn 2.0’ (2017) 95 Tex. L. Rev. 1487.
 * Gary Brown and Keira Poellet, ‘The Customary International Law of Cyberspace’ (2012) Strategic Studies Quarterly 137.
 * Ian Brownlie, International Law and the Use of Force by States (OUP 1963).
 * Russell Buchan, ‘The International Legal Regulation of State-Sponsored Cyber Espionage’ in Anna-Maria Osula and Henry Rõigas (eds), International Cyber Norms: Legal, Policy & Industry Perspectives (NATO CCD COE 2016).
 * Gary P. Corn and Robert Taylor, ‘Sovereignty in the Age of Cyber’ (2017) 111 AJIL Unbound 207.
 * James Crawford, Brownlie's Principles of Public International Law (OUP 2012).
 * James Crawford, State Responsibility: The General Part (CUP 2013).
 * James Crawford, ‘State Responsibility’ in Rüdiger Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008).
 * Theodore Christakis, ‘The ICJ Advisory Opinion on Kosovo: Has International Law Something to Say about Secession?’ (2011) 24 LJIL 73.
 * Oliver Corten, The Law against War. The Prohibition on the Use of Force in Contemporary International Law (Hart Pub. 2021).
 * Ashley Deeks, 'An International Legal Framework for Surveillance' (2015) 55 Va. J. Int’l L. 291.
 * Oliver Dörr and Albrecht Randelzhofer, ‘Article 2(4)’ in Bruno Simma and others (eds), The Charter of the United Nations: A Commentary (OUP 2012).
 * Dan Efrony and Yuval Shany, ‘A Rule Book on the Shelf? Tallinn Manual 2.0 on Cyberoperations and Subsequent State Practice’ (2018) 112 AJIL 583.
 * Brian Egan, U.S. State Department Legal Advisor, ‘International Law and Stability in Cyberspace’ (Speech at Berkeley Law School, 10 November 2016).
 * David Fidler, ‘Economic Cyber Espionage and International Law: Controversies Involving Government Acquisition of Trade Secrets through Cyber Technologies’ (2013) 17/10 ASIL Insights.
 * Christine Gray, International Law and the Use of Force (OUP 2018).
 * Erika Häger & Carolina Dackö, ‘Economic Espionage: A Report by Mannheimer Swartling’ (2018).
 * Christof Heyns and others, ‘The International Law Framework Regulating the Use of Armed Drones’ (2016) 65 Int’l Comp. L.Q. 791.
 * Duncan B. Hollis and Tsvetelina van Benthem, ‘What Would Happen If States Started Looking at Cyber Operations as a “Threat” to Use Force?’ (Lawfare, 30 March 2021).
 * Japan, ‘Japan’s Position Paper for the Report of the United Nations Open-Ended Working Group on "Developments in the Field of Information and Telecommunications in the Context of International Security"’ (undated).
 * Harold Hongju Koh, ‘International Law in Cyberspace: Remarks as Prepared for Delivery to the USCYBERCOM Inter-Agency Legal Conference' (18 September 2002), reprinted in (2012) 54 Harv. Int’l L.J. Online 1, 4.
 * Marcelo Kohen, ‘The Court’s Contribution to Determining the Content of Fundamental Principles of International Law’ in Giorgio Gaja and Jenny Grote Stoutenburg (eds), Enhancing the Rule of Law through the International Court of Justice (Brill 2012).
 * David Kretzmer, ‘The Inherent Right to Self-Defence and Proportionality in Jus Ad Bellum’ (2013) 24 EJIL 235.
 * Catherine Lotrionte, ‘Countering State-Sponsored Cyber Economic Espionage Under International Law’ (2015) 40 N.C. J. Int'l L. & Com. Reg. 443.
 * Marko Milanovic, ‘Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age’ (2015) 56/1 Harv Int’l LJ 81.
 * Marko Milanovic and Michael N Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’ (2020) 11 J. Nat’l Security L. & Pol’y 247.
 * Tomohiro Mikanagi and Kubo Mačák, ‘Attribution of Cyber Operations: An International Law Perspective on the Park Jin Hyok case’ (2020) 9 Cambridge Int’l L, J. 51.
 * Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014).
 * Michael N Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017).
 * Michael N Schmitt, ‘The Use of Cyber Force and International Law’ in Marc Weller (ed), Oxford Handbook on the Use of Force in International Law (OUP 2015).
 * Michael N Schmitt, ‘Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law’ (2018) 19 Chi. J. Int’l L. 30.
 * Michael N Schmitt and Liis Vihul, ‘Respect for Sovereignty in Cyberspace’ (2017) 95 Tex. L. Rev. 1639.
 * The Second Oxford Statement on International Law Protections of the Healthcare Sector During COVID-19: Safeguarding Vaccine Research (7 August 2020).
 * Nicholas Tsagourias ‘Cyber Attacks, Self-Defence and the Problem of Attribution’ (2012) 17 (2) JCSL 23.
 * Wolff Heintschel von Heinegg, ‘Territorial Sovereignty and Neutrality in Cyberspace’ (2013) 89 Int’l L. Stud. 123.
 * Matthew Waxman, Principal Deputy Director of Policy Planning, U.S. Department of State, ‘Opening Statement to the U.N. Human Rights Committee on the Report Concerning the International Covenant on Civil and Political Rights’ (17 July 2006).
 * Jeremy Wright, ‘Cyber and International Law in the 21st Century’ (23 May 2018).
 * Katja Ziegler, ‘Domaine Réservé’ in Rüdiger Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008, updated April 2013).

Contributions

 * Scenario by: Jeremy K. Davis
 * Analysis by: Jeremy K. Davis
 * Reviewed by: Duncan Hollis and Ori Pomson