Scenario 07: Leak of State-developed hacking tools

This scenario concerns the leak of State-developed hacking tools, the failure of a State to inform software companies of vulnerabilities in their products, and the repurposing of the hacking tools for criminal purposes. The legal analysis of this scenario examines the obligation of due diligence, the obligation to respect sovereignty, and the prohibition of intervention.

Keywords
Malware, sovereignty, prohibition of intervention, due diligence

Facts
[F1] A website appears on the Internet, offering the sale of various hacking tools, including zero-day vulnerabilities, spyware, and ready-made exploits. The sellers allege that all of the tools on offer had been developed by State A’s intelligence services (incident 1). Independent security researchers confirm that the advertised tools indeed resemble a number of different tools previously used in cyber operations in which State A had been implicated. After initial hesitation, State A officials confirm the leak of the hacking tools caused by unknown attackers.

[F2] Website hosting the tools is immediately noticed by the authorities and the content is taken down. However, once exposed on the Internet, the tools are considered as leaked and almost certainly spreading further.

[F3] Software companies whose products are said to contain the vulnerabilities launch a formal protest with State A for not having informed them of the existence of those vulnerabilities, before and especially after the leak (incident 2).

[F4] The tools are later repurposed by State B’s military unit and used in a ransomware (or mock ransomware) campaign, causing substantial losses globally, including paradoxically in State A. In particular, the spread of the ransomware results in the encryption of data in several of State A’s governmental information systems (incident 3). The facts as stated above have been verified by independent security researchers.

Examples

 * The Shadow Brokers publishing the NSA vulnerabilities (2016)
 * WannaCry (2017)
 * NotPetya (2017)

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The legal analysis of the present scenario is divided into four parts: the first two parts discuss the potential responsibility of State A due to a breach of the obligation of due diligence and the following two parts deal with the potential responsibility of State B for a violation of sovereignty and prohibited intervention based on the ransomware campaign.

Attribution to State A
[L2] Internationally wrongful acts of States may consist of actions as well as of omissions. However, whether there is an omission relevant for the purposes of attribution is intertwined with the existence of a concomitant international obligation and, therefore, with the identification of a subject by which this obligation is owed. It is in this sense that the failure of State A to prevent the theft of its tools (incident 1) and to report the existence of specific vulnerabilities to software manufacturers (incident 2) must be assessed.

[L3] Attribution of incident 3 to State A is not realistic. State A would only be responsible for the conduct of State B’s military unit if the unit was placed at the disposal of State A and acting in the exercise of elements of the governmental authority of State A (see attribution).

Due diligence
[L4] In the present scenario, all the required elements would likely not be met. First, the leak of the hacking tools and failure to inform the software manufacturers from State A (incidents 1-2) could be contrary to the rights of third States, because it makes their cyber infrastructure more vulnerable to malicious activities. However, the leak is a fairly remote cause of the malicious activities, because an intervening act of a malicious actor is required; it is, therefore, questionable whether the consequence can still be attributed to State A (condition 1).

[L5] The leak utilised the computer systems (cyber infrastructure) of State A. However, it is questionable if the leak itself is the harmful activity: rather, the abuse of the hacking tools is. Nevertheless, even if cyber infrastructure is interpreted broadly to include software such as some of the hacking tools originally developed by State A, these tools were nonetheless no longer under the sole control of State A when they were repurposed and used to cause harm to third parties (condition 2).

[L6] If State A had purposefully sold or transferred their hacking tools to a third party, be it a State or a non-State actor, it would be responsible for further operations utilizing the hacking tools only if these were attributable to State A – for instance, if State A also exercised direction and control over the non-State actor - and those operations amounted to a breach of an international legal obligation (condition 3).

[L7] The leak led to substantial losses, which might qualify as “serious adverse consequences” if they cause, for instance, serious disruptions of societal functions, but again, the leak is causally remote from these consequences (condition 4).

[L8] State A knew about the leak. The scenario does not say since when exactly, but it is assumed that State A knew at the latest when the origin of the hacking tools was confirmed by independent researchers (condition 5).

[L9] State A did not inform the software manufacturers, which could have mitigated the consequences. This was an omission on its part to take all feasible measures in response to acts harmful to third parties (condition 6).

[L10] In sum, it would be difficult to determine a breach of the due diligence obligation by State A. The major stumbling blocks are the absence of an unqualified international obligation not to transfer State hacking tools to third parties (condition 3), remoteness of the causality (conditions 1 and 4), and the uncertainty about the seriousness of the adverse consequences (condition 4).

Attribution to State B
[L11] Incidents 1-2 are not attributable to State B – there is no indication of State B’s involvement in the leak of vulnerabilities. Incident 3 (the ransomware campaign) is attributable to State B, because the operation was conducted by one of its military units, which qualifies as an organ of the State.

State B’s obligation not to violate the sovereignty of State A
[L12] In the present scenario, State B’s ransomware campaign was not conducted from State A’s territory (option 1) nor did it result in physical damage or injury (option 2), despite having caused significant economic losses. However, the cyber operation did cause a loss of functionality of many computer systems, including in State A, which is relevant for option 3. Additionally, it is possible the cyber operation interfered with State A’s inherently governmental functions (option 4), although the information about State A’s public information systems is not detailed enough to conclude what their function was. In sum, there is some evidence, albeit not conclusive on the facts provided, which suggests that State B may have violated its obligation not to violate the sovereignty of State A.

Prohibited intervention by State B
[L13] In the present scenario, there is nothing to suggest that State B's ransomware campaign was targeting State A’s sovereign right to decide its own internal affairs freely. The fact that the ransomware campaign is designed to coerce State A to transfer funds to State B in and of itself is not sufficient to meet the requirements for an intervention. The element of coercion must be related to the form of interference that State B engages with a view to forcing a change to State A's policy or decision regarding its own internal affairs.

[L14] Compared to the economic losses caused by the incidents, the collected ransom was likely negligible. States in similar situations are not very likely to pay the ransom, which undermines the argument that the acts were coercive, rather than disruptive.

[L15] In sum, it is difficult to label the operation as prohibited intervention.

Checklist

 * Due diligence:
 * In what circumstances would a State violate international law if it transferred the hacking tools to a non-State actor or another State on purpose?
 * Are State-developed hacking tools “cyber infrastructure” of that State, even if they are used outside its territory and without its control?
 * How proximate is the causal link between the stealing of the hacking tools and the consequences caused by their use?
 * Did the stealing and sale of the hacking tools result in serious adverse consequences for the victim State?
 * Did State A have actual or constructive knowledge that its territory was bring used for the stealing or sale of the hacking tools contrary to the rights of and resulting in serious adverse consequences for other States?
 * Did the potentially responsible State take all feasible measures to put an end to the malicious cyber activities?
 * Sovereignty:
 * Was the ransomware campaign conducted by a State organ of State B physically present on the territory of State A?
 * Did the ransomware campaign result in physical damage or injury on State A’s territory?
 * Did the ransomware campaign cause a loss of functionality of State A’s computer systems?
 * Did the ransomware campaign interfere with State A’s inherently governmental functions?
 * Prohibition of intervention:
 * Did the ransomware campaign bear on the internal or external affairs of State A?
 * Did the ransomware campaign coerce State A by depriving it of its freedom of choice concerning its internal or external affairs?

Bibliography and further reading

 * Luke Chircop, ‘A Due Diligence Standard of Attribution in Cyberspace’ (2018) 67 ICLQ 643.
 * James Crawford, Brownlie's Principles of Public International Law (OUP 2012).
 * James Crawford, State Responsibility: The General Part (CUP 2013).
 * Gary P. Corn and Robert Taylor, ‘Sovereignty in the Age of Cyber’ (2017) 111 AJIL Unbound 207.
 * Wolff Heintschel von Heinegg, 'Territorial Sovereignty and Neutrality in Cyberspace' (2013) 89 Int’l L. Stud. 123.
 * Franck Latty, ‘Actions and Omissions’ in James Crawford and others (eds), The Law of International Responsibility (OUP 2010).
 * Michael N Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017).
 * Michael N Schmitt, 'Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law' (2018) 19 ChiJIntlL 30.
 * Michael N Schmitt and Jeffrey Biller, ‘The NotPetya Cyber Operation as a Case Study of International Law’, EJIL: Talk!, 11 July 2017.
 * Michael N Schmitt and Liis Vihul, ‘Respect for Sovereignty in Cyberspace’ (2017) 95 Tex L Rev. 1639.
 * Michael N Schmitt and Sean Fahey, ‘WannaCry and the International Law of Cyberspace’, JustSecurity, 22 December 2017.
 * Sean Watts & Theodore Richard, 'Baseline Territorial Sovereignty and Cyberspace' (2018) 22 Lewis & Clark L. Rev. 771.
 * Rüdiger Wolfrum, ‘Obligation of Result Versus Obligation of Conduct: Some Thoughts About the Implementation of International Obligations’ in Mahnoush H Arsanjani and others, Looking to the Future: Essays on International Law in Honor of Michael Reisman (Brill 2010).
 * Katja Ziegler, “Domaine Réservé”, in Rudiger Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008).

Contributions

 * Scenario by: Taťána Jančárková & Tomáš Minárik
 * Analysis by: Tomáš Minárik
 * Reviewed by: Hitoshi Nasu; Petr Novotný; Barrie Sander