Scenario 08: Certificate authority hack

The scenario analyses a cyber operation against a certificate authority that provides services to private and public entities, with indications that the operation was commissioned or exploited by a State. What are the relevant human rights obligations in cyberspace? What other international obligations may have been breached?

Keywords
Attribution, sovereignty, prohibition of intervention, mass surveillance, international human rights law

Facts
A company based in State A provides certificate authority services, including for government departments and agencies of State A. It has now been hacked by intruders, who assume control of the company’s certificate-issuing servers and, for several weeks, proceed to issue fraudulent certificates for private sector services, such as email or VoIP based telephony, but also for services related to the company register in State A. Indicators of compromise (IoCs) point to the use of proxies (an unaffiliated group) in incident 1, but eventually lead to State B’s intelligence service, which had ordered and paid the group to issue some of the fraudulent certificates in incident 2, including to the company register in State A (incident 1).

The fraudulent certificates are later used in a massive man-in-the-middle attack to intercept free email communication of several hundreds of thousands of individuals in State A (incident 2). Available evidence shows that this mass surveillance operation was fully conducted by State B’s intelligence service.

Eventually, all of the certificates issued by the company are blacklisted by the major internet browsers, the attack is contained, and the company files for bankruptcy.

State A and State B are States parties to the International Covenant on Civil and Political Rights (ICCPR).

Similar real-world incidents

 * DigiNotar (2011)

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

The legal analysis first briefly deals with the attribution of incidents 1 and 2 to State B, then continues with the breach of State B’s obligations to respect the sovereignty of other States, prohibition of intervention, and the obligations arising from international human rights law.

Non-State actors
In the present scenario, it is crucial that State B ordered and paid the group to issue some of the fraudulent certificates in incident 1. The fact of accepting this order confirms the existence of a factually subordinate relationship at the relevant time, and thus the conduct of the non-State group is attributable to State B under the “instruction” standard of Article 8 of ILC’s Articles on State Responsibility.

State organs
The intelligence service of State B is an organ of that State; therefore, its conduct is attributable to State B. In the present scenario, this covers the mass interception of emails in State A (incident 2).

Breach of an international obligation
The following options can be considered in the case at hand:

Obligation to respect the sovereignty of other States
There is no evidence that options 1 or 2 would be of relevance in this scenario.

With respect to option 3, the fact that the company’s certificates were blacklisted implies that the services using the certificates had to change to a different certificate authority. In the meantime, the trust in these services could not be guaranteed. Some websites using the blacklisted certificates would function, but browsers would issue security alerts, leading to economic losses for the respective businesses, as customers would be afraid to continue to their websites. Other services had lost functionality until they installed new certificates – especially online payment systems and mobile banking apps would stop working completely.

The precise threshold of the loss of functionality is difficult to determine. If the loss is only temporary, does not lead to significant disruptions, and can be easily fixed, then it would likely not qualify. However, assuming that the threshold was reached, State B is responsible to the extent that it had ordered the non-State actor to issue some of the fraudulent certificates (incident 1).

As for option 4, some of the affected systems were providing secure access to State A’s company register. Running this register is State A’s inherently governmental function, and if the function could not be provided due to the interference by State B (incident 1), then State B’s conduct had amounted to a violation of State A’s sovereignty.

Option 5, the usurpation of inherently governmental functions by State B, poses an interesting problem: was State B exercising its law enforcement functions in State A’s territory by the interception of emails of several hundred thousands of people in State A’s territory (incident 2)? Interestingly, the answer seems to lie in the goal of State B: if its intelligence service was collecting evidence for criminal proceedings abroad without the consent of State A, then it was exercising law enforcement functions and hence violating State A’s sovereignty; if it was merely engaging in cyber espionage for national security purposes, then according to this option, it was not usurping inherently governmental functions of State A.

On the basis of the foregoing, it can be summarized that in the context of incident 1, State B violated the sovereignty of State A insofar the actions of the non-state actor can be attributed to State B. As for incident 2, the answer depends on the actual goal of State B’s conduct.

Prohibition of intervention
In incident 1, State B interfered with the internal affairs of State A by having a non-State actor issue fraudulent certificates, thereby undermining the security of online government services. However, proving the coercive nature of the act can be difficult. It depends on the ultimate goal of State B, and whether the act can be causally linked to the goal. If State B merely wanted to cause nuisance and economic loss to State A without any particular goal, the act does not qualify as prohibited intervention (even though it does qualify as a violation of sovereignty: see above).

In incident 2, the analysis again depends on the goal of State B. If State B wanted to engage in cyber espionage against the Internet users in State A’s territory, or even if it wanted to conduct law enforcement activities in State A’s territory, without any intent to influence State A’s decisions on its internal or external affairs, the prohibition of intervention would not have been breached.

Obligations arising from international human rights law
(1) Does the obligation of State B to respect the right to privacy pursuant to Article 17 ICCPR apply to its cyber operations against individuals in State A? The owners and presumably also the content of the intercepted email accounts were located in State A. State B, whose State organ commissioned the preparation of the interception and then executed it itself, would be obligated to respect the human rights of those persons if they were under its jurisdiction or control.

According to one line of thought, if an organ of State B can, in the exercise of its jurisdiction, secretly interfere with the human rights of individuals anywhere in the world without the knowledge of the territorial State (in this case, State A), then it is logically State B which must make sure that this interference is conducted in accordance with the requirements of the ICCPR.

The counterargument is that there is a lack of consensus whether interfering with cyber infrastructure abroad can amount to exerting effective control. In the present state of the law, State B therefore cannot be held responsible for violating human rights of the individuals concerned.

(2) Assuming that the ICCPR applies, a surreptitious interception of emails between individuals is an interference with their right to privacy pursuant to Article 17 ICCPR (specifically, interference with their correspondence). Depending on the goal of State B, the interception might also implicate Article 19 ICCPR (right to freedom of expression).

(3) The scenario does not contain any information about State B’s domestic law. If there is a domestic law regulating extraterritorial surveillance or criminal investigation, which is compliant with the requirements of the international obligation (legality, legitimacy of the objective, necessity to achieve the goal, and proportionality), and the email interception is done in accordance with that law, then State B’s activity would be in accordance with the ICCPR.

With regard to the number of affected individuals (“several hundreds of thousands”), it should be noted that the Court of Justice of the European Union (CJEU) ruled any bulk online surveillance as incompatible with the EUCFR; however, as of October 2018, the case-law of the ECtHR seems to be developing in a less strict direction. Although these rulings do not directly apply to States not members of the relevant international organizations, they may nonetheless carry persuasive value for the further development of the law in this area.

On the basis of the foregoing, it therefore cannot be concluded that the interception of emails by itself amounts to a violation of international human rights law. Although such conduct would most certainly interfere with several human rights of the affected individuals, its compatibility with IHRL would fall to be determined by the justification proffered by the acting State.

Checklist

 * Attribution: Did State B provide instructions or exercise direction or control over the non-State actor?
 * Attribution: Is an intelligence agency a State organ of State B?
 * Sovereignty: Did State B’s operation cause a loss of functionality of another State’s cyber infrastructure?
 * Sovereignty: Did State B usurp State A’s inherently governmental functions by its cyber operation in State A’s territory?
 * Prohibited intervention: Did State B try to coerce State A by its cyber operation?
 * International human rights law: Does the ICCPR apply to State B’s cyber operation abroad?
 * International human rights law: Which human rights are implicated by State B’s cyber operation?
 * International human rights law: Is State B’s cyber operation justified from the perspective of international human rights law?

Bibliography and further reading

 * MN Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017)
 * Etc.

Original text by: Tomáš Minárik

Reviewed by: Kubo Mačák