Scenario 02: Cyber espionage against government departments

From International cyber law: interactive toolkit
Revision as of 16:49, 29 August 2018 by Uncleistvan1BBB (talk | contribs)
Jump to navigation Jump to search

A military unit of State B conducts a cyber espionage operation against State A’s Ministry of Foreign Affairs and its subordinate organizations. The data obtained in this operation is later published on the Internet.

The analysis considers whether State B’s operation violated diplomatic and consular law, sovereignty, and the prohibition of intervention.


Scenario

Keywords

Cyber espionage, diplomatic and consular law, State responsibility, sovereignty, prohibited intervention

Facts

State A discovers that a mail server and several other servers belonging to its Ministry of Foreign Affairs (MFA) have been infiltrated. Investigation shows that the intruders gained access to the mail server by obtaining passwords of several consular officers at State A’s missions abroad through spear phishing and fake log-on websites (incident 1).

After gaining access, the intruders escalated their privileges and moved laterally through the network. Within a few days, they gained access to other servers and services. They had access to data of various MFA personnel including senior officials for several months (incident 2).

A vast amount (over 10 GB) of unclassified data was exfiltrated, even though it is not immediately clear what precise data was affected by the incident (incident 3). No data was destroyed or encrypted.

Nobody claims responsibility for the attack immediately after the discovery of the incident. However, a few days later, emails, procurement documents, and internal memos purportedly belonging to the MFA of State A are published on the Internet. (incident 4).

Judging by the nature of the compromised data and by persons that were apparently of particular interest to the attackers, the attackers seem to have been located in or related to State B. Technical investigation suggests that the malware tools used were in the past employed by an entity affiliated with a military unit of State B. Following requests for information addressed to various CERTs around the world, State A’s authorities establish that similar attacks have been executed against central government institutions in several other countries. Earlier on, head of an allied intelligence service in State C had publicly accused State B of a cyber espionage campaign conducted by the above military unit against that State C’s MFA.

Both State A and State B are parties to the Vienna Convention on Diplomatic Relations (VCDR)[1] and the Vienna Convention on Consular Relations (VCCR).[2]

Similar real-world incidents

NB: Links in this section will go to separate pages for each of these incidents within the toolkit (for demonstration purposes only, they now link to Wikipedia pages on those topics).

  • APT-29 attacks on ministries in 2016-2017
  • OPM hack

Legal analysis

The legal analysis focuses on the law of State responsibility, taking into account the sovereignty of State A, prohibition of intervention, and diplomatic and consular law as the applicable lex specialis.

International humanitarian law is not analysed in detail. There is no ongoing armed conflict, nor do the incidents trigger the application of international humanitarian law. They do not amount to a use of force or an armed attack, because they are not severe enough to be comparable to a ‘physical’ use of force.

Definition

State responsibility
State responsibility.svg
Responsibility of States for internationally wrongful acts is a well-established concept in international law, resulting from the fact that each State has a legal personality and can bear legal obligations.[3] The law of State responsibility is largely customary in nature; its codification is provided by the Draft Articles on the Responsibility of States for Internationally Wrongful Acts.[4] While some of the Articles are more controversial, they are generally accepted as reflective of customary law.[5] The law of State responsibility also applies to cyber operations and other cyber activities.[6]

Every internationally wrongful act of a State has two elements: 1) attributability to the State under international law, and 2) breach of an international obligation of the State.[7]Besides these two elements, it is necessary to ascertain whether the act in question involved any 3) circumstances precluding wrongfulness.[8].

Appendixes

See also

Notes and references

  1. Vienna Convention on Diplomatic Relations (adopted 18 April 1961, entered into force 24 April 1964), 500 UNTS 95.
  2. Vienna Convention on Consular Relations (adopted 24 April 1963, entered into force 19 March 1967), 596 UNTS 261.
  3. James Crawford, “State Responsibility”, in R Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008), para 1.
  4. Draft Articles on the Responsibility of States for Internationally Wrongful Acts, prepared by the International Law Commission and approved by the General Assembly resolution 56/83 of 12 December 2001.
  5. James Crawford, “State Responsibility”, in R Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008), para 65.
  6. UN GGE 2015 'Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security report' (22 July 2015) UN Doc A/70/174, para 28(f); Tallinn Manual 2.0, commentary to rule 14, para 1. See also, e.g., Japan, ‘Japan’s Position Paper for the Report of the United Nations Open-Ended Working Group on “Developments in the Field of Information and Telecommunications in the Context of International Security”’ (undated) (‘Japan recognizes that basic rules on State responsibility including those on countermeasures applies to cyberspace.’); Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) 1 (‘Any violation of [obligations under international law that apply to states in cyberspace] that is attributable to a state constitutes an internationally wrongful act, unless there is a ground for precluding the wrongfulness of an act recognised in international law’); United Kingdom, ‘Statement on Other Disarmament Measures and International Security to the 72nd UNGA First Committee’ (23 October 2017) (‘We reaffirm that the law of state responsibility applies to cyber operations in peacetime’).
  7. Articles on State Responsibility, Art 2.
  8. Articles on State Responsibility, Arts 20-26.

Bibliography and further reading

Attribution

As a rule, the conduct of State organs is attributable to the State in question;[1] by contrast, the conduct of non-State actors or third States’ organs can only be attributed to the State under specific circumstances.[2]

State organs and persons and entities in exercise of governmental authority

State organs and persons and entities in exercise of governmental authority
The following types of conduct of State organs and persons and entities in exercise of governmental authority are attributable to a State:
  1. The conduct of any of the organs of that State, "whether the organ exercises legislative, executive, judicial or any other functions, whatever position it holds in the organization of the State, and whatever its character as an organ of the central Government or of a territorial unit of the State";[3]
  2. The conduct of an organ of another State placed at the disposal of the State in question, if "the organ is acting in the exercise of elements of the governmental authority" of the latter State;[4]
  3. The conduct of "a person or entity which is not an organ of the State […] but which is empowered by the law of that State to exercise elements of the governmental authority, […] provided the person or entity is acting in that capacity in the particular instance."[5]

Such conduct is attributable to the State even if the organ, person or entity acting in that capacity "exceeds its authority or contravenes instructions" (acts ultra vires).[6]

Non-State actors

Non-State actors
Activities of non-State actors (groups and individuals) are generally not attributable to States. However, such conduct can be attributable to a State in particular if the actor is:
  1. "in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct";[7]
  2. "in fact exercising elements of the governmental authority in the absence or default of the official authorities and in circumstances such as to call for the exercise of those elements of authority";[8]
  3. "an insurrectional movement which becomes the new Government of a State";[9] or
  4. "a movement, insurrectional or other, which succeeds in establishing a new State in part of the territory of a pre-existing State or in a territory under its administration".[10]

Additionally,

  1. the conduct of a non-State actor is attributable to a State "if and to the extent that the State acknowledges and adopts the conduct in question as its own".[11]

Evidentiary standards

Evidentiary standards
Evidentiary standards applicable to the attribution of cyber activities are context-dependent.[12] The law of State responsibility as such does not contain generally applicable burdens, standards, or methods of proof,[13] and these matters are instead ordinarily determined by the relevant forum.[14]

However, in case a State is considering a response to an internationally wrongful act, the standard of attribution is that of "reasonableness", i.e. "States must act as reasonable States would in the same or similar circumstances when considering responses to them."[15] This depends, among other factors, on the "reliability, quantum, directness, nature (e.g., technical data, human intelligence), and specificity of the relevant available information when considered in light of the attendant circumstances and the importance of the right involved."[16] Nevertheless, there is no obligation to publicly provide the evidence.[17]

Specific rules may apply to some responses, so when State A responds with countermeasures after misattributing an internationally wrongful act to State B, it commits an internationally wrongful act of its own, even though it correctly applied the "reasonableness" standard of attribution.[18]

Appendixes

See also

Notes and references

  1. ILC Articles on State Responsibility, Art 4.
  2. ILC Articles on State Responsibility, Art 8.
  3. ILC Articles on State Responsibility, Art 4(1).
  4. ILC Articles on State Responsibility, Art 6.
  5. ILC Articles on State Responsibility, Art 5.
  6. ILC Articles on State Responsibility, Art 7; Tallinn Manual 2.0, commentary to rule 15, paras. 6-7 and 12.
  7. ILC Articles on State Responsibility, Art 8; see also Kubo Mačák, ‘Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors’ (2016) 21 JC&SL 405.
  8. ILC Articles on State Responsibility, Art 9.
  9. ILC Articles on State Responsibility, Art 10(1).
  10. ILC Articles on State Responsibility, Art 10(2).
  11. ILC Articles on State Responsibility, Art 11.
  12. See further Marco Roscini, ‘Evidentiary Issues in International Disputes Related to State Responsibility for Cyber Operations’ (2015) 50 Texas International Law Journal 233; Isabella Brunner, Marija Dobrić and Verena Pirker, ‘Proving a State’s Involvement in a Cyber-Attack: Evidentiary Standards Before the ICJ’ (2015) 25 Finnish Yearbook of International Law 75; Tomohiro Mikanagi and Kubo Mačák, ‘Attribution of Cyber Operations: An International Law Perspective on the Park Jin Hyok case’ (2020) 9 Cambridge International Law Journal 51, 64-68.
  13. ILC Articles on State Responsibility, commentary to chapter III, para 4 ("Questions of evidence and proof of such a breach fall entirely outside the scope of the articles."); ibid, commentary to Art 19, para 8 ("Just as the articles do not deal with questions of the jurisdiction of courts or tribunals, so they do not deal with issues of evidence or the burden of proof.").
  14. Tallinn Manual 2.0, Chapter 4 Section 1, para 8.
  15. Tallinn Manual 2.0, Chapter 4 Section 1, para 10; Cf. Yeager v Islamic Republic of Iran (1987) 17 Iran-US CTR 92, 101–02 (‘[I]n order to attribute an act to the State, it is necessary to identify with reasonable certainty the actors and their association with the State.’).
  16. Tallinn Manual 2.0, Chapter 4 Section 1, para 10.
  17. According to the UK Attorney General, "[t]here is no legal obligation requiring a state to publicly disclose the underlying information on which its decision to attribute hostile activity is based, or to publicly attribute hostile cyber activity that it has suffered in all circumstances." (UK Attorney General, Jeremy Wright QC MP, 'Cyber and International Law in the 21st Century'; see also Tallinn Manual 2.0, Chapter 4 Section 1 chapeau, para 13.
  18. Tallinn Manual 2.0, Chapter 4 Section 1, para 12; see also ILC Articles on State Responsibility, Art 49 para 3 (“A State taking countermeasures acts at its peril, if its view of the question of wrongfulness turns out not to be well founded.”)

Bibliography and further reading

The military unit of State B qualifies as an organ of that State.[1] As such, its relevant conduct is directly attributable to State B.[2] The following analysis proceeds on the assumption that all incidents described in the scenario (incidents 1–4) were conducted by the said State B’s military unit.

Breach of international obligation

Definition

Breach of an international obligation
Breach of an international obligation.svg
The second element of an internationally wrongful act is conduct amounting to a breach of an international obligation owed by the relevant entity.[3] In this regard, it is undisputed that a cyber-related action or omission by a State may constitute a breach of its international obligations.[4] International obligations arise from primary rules of international law:[5] international treaties, customary international law, and general principles of law.[6] Fault, such as intent or negligence on part of the wrongdoing State, is not a necessary element of a breach of an international obligation, unless there exists such a requirement in the relevant primary rule.[7] Similarly, there is no general requirement for the injured party to have suffered any damage—again, unless such a requirement forms part of the primary obligation in question.[8]

It is impossible to provide a list of all international obligations that may be violated by resort to cyber means. However, certain rules appear with higher frequency than others. These include the prohibition on the use of force; the prohibition of intervention; the obligation to respect the sovereignty of other States; the obligation to respect the right to privacy; the obligation of due diligence; and a few others (such as, for instance, the rule of distinction in the context of the law of armed conflict).

Appendixes

See also

Notes and references

  1. See, for example, ICRC Customary IHL Study, vol 1, 530–531 (“The armed forces are considered to be a State organ, like any other entity of the executive, legislative or judicial branch of government.”).
  2. Articles on State Responsibility, Art. 4(1); Tallinn Manual 2.0, commentary to rule 15, para. 1.
  3. Cf. ILC Articles on State Responsibility, Art. 2(b).
  4. For a detailed discussion of a breach of an international obligation by a cyber-related act, see rule 14 of Tallinn Manual 2.0 and commentary 2–11 thereto.
  5. ILC Articles on State Responsibility, General commentary, para 1.
  6. Statute of the International Court of Justice, of 26 June 1945, annexed to the UN Charter, Art 38(1)(a)–(c).
  7. ILC Articles on State Responsibility, Art. 2, para 10.
  8. ILC Articles on State Responsibility, Art. 2, para 9.

Bibliography and further reading

The following obligations based on treaty law and customary international law are considered:

Diplomatic and consular law

The Vienna Convention on Diplomatic Relations and the Vienna Convention on Consular Relations are considered to be broadly reflective of customary international law.[1] Therefore, even if State A or State B had not ratified these Conventions, the rules analysed below would still apply to their diplomatic and consular relations.

International law protects the inviolability of documents and archives of diplomatic missions and consular posts.[2] This includes any official correspondence, whether in electronic or paper form.[3] The international legal obligation to respect inviolability is unaffected by the frequent practice of States to conduct cyber espionage operations that violate this duty. This is because any such practice is regularly condemned by the victim States, whereas the offending States refrain from putting forward any corresponding legal justification of such operations.[4]

In incident 1, by gaining access to an official email account of a consular officer, State B ran afoul of the inviolability of official correspondence. The lateral movement (incident 2) and exfiltration of data (incident 3) are just further steps in the illegal activity of State B, at least to the extent that the hacked accounts and servers contained data pertaining to State A’s diplomatic missions and consular posts, irrespective of their location.[5]

Incident 4, wherein the data was published on the Internet, raises the question whether the published materials are still protected by international law. This issue is unsettled in the present state of the law. One view, endorsed by a majority of the experts drafting the Tallinn Manual, is that inviolability no longer applies to data that has been made public, as it is “not confidential as a matter of fact”.[6] By contrast, others believe that the duty to respect the inviolability of the materials in question continues to apply in such cases.[7] The primary reason for this view is that the duty of inviolability covers the protected materials “wherever they may be”,[8] which therefore includes even the public domain.[9]

Sovereignty

Definition

  1. See, for example, J Wouters, S Duquet, and K Meuwissen, “The Vienna Conventions on Diplomatic and Consular Relations” in AF Cooper, J Heine, and R Thakur (eds), The Oxford Handbook of Modern Diplomacy (OUP 2013) 510 (noting that VCDR’s and VCCR’s main provisions have acquired customary status); ICJ, United States Diplomatic and Consular Staff in Tehran [1980] ICJ Rep 3, 31–32 [62] (noting that the relevant obligations under the two treaties are “also obligations under general international law”).
  2. Art. 24 VCDR; Art. 33 VCCR.
  3. Tallinn Manual 2.0, commentary to rule 41, para. 3.
  4. Tallinn Manual 2.0, commentary to rule 41, para. 11.
  5. See Tallinn Manual 2.0, commentary to rule 41, para. 6 (noting that archives and documents of a diplomatic mission or a consular post remain inviolable even if they are stored outside of the receiving State, including on a server belonging to the sending State’s ministry of foreign affairs).
  6. Tallinn Manual 2.0, commentary to rule 41, para. 14.
  7. Tallinn Manual 2.0, commentary to rule 41, para. 15.
  8. Art. 24 VCDR and Art. 33 VCCR.
  9. Tallinn Manual 2.0, commentary to rule 41, para. 15.
Sovereignty
Sovereignty is a core principle of international law. According to a widely accepted definition of the term in the 1928 Island of Palmas arbitral award,

[s]overeignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State.[1]

Multiple declarations by the UN,[2] NATO,[3] OSCE,[4] the European Union,[5] and individual States have confirmed that international law applies in cyberspace. Accordingly, so too does the principle of sovereignty. However, there is some debate as to whether this principle operates as a standalone rule of international law, the breach of which gives rise to state responsibility.
  • For the proponents of this view, the prohibition on violating the sovereignty of other States is a substantive primary rule of international law, the breach of which is an internationally wrongful act. This view was unanimously accepted by the experts who prepared the Tallinn Manual 2.0.[6] It has also been adopted by several States including Austria,[7] the Czech Republic,[8] Finland,[9] France,[10] Germany,[11] Iran,[12] and the Netherlands.[13]
  • By contrast, the opposing view is that sovereignty is a principle of international law that may guide State interactions, but it does not amount to a standalone primary rule.[14] This view has now been adopted by one State, the United Kingdom,[15] and has been endorsed by the U.S. Department of Defense General Counsel.[16] By this approach, cyber operations cannot violate sovereignty as a rule of international law, although they may constitute prohibited intervention, use of force, or other internationally wrongful acts.

The remainder of this section proceeds on the basis of the former “sovereignty-as-rule” approach. Those espousing the latter “sovereignty-as-principle” approach should refer to other relevant sections of the legal analysis (such as that on the prohibition of intervention).

It is understood that sovereignty has both an internal and an external component.[17] In the cyber context, the “internal” facet of sovereignty entails that “[a] State enjoys sovereign authority with regard to the cyber infrastructure, persons, and cyber activities located within its territory, subject to its international legal obligations.”[18][19]

As a general rule, each State must respect the sovereignty of other States.[20] It is clear that a cyber operation with severe destructive effects, comparable to a “non-cyber” armed attack or a use of force against a State, constitutes a violation of its sovereignty; however, with more subtle cyber operations, the question is far from settled.[21]

The following modalities, highlighted in the Tallinn Manual 2.0, represent different ways of determining what a “sovereignty violation” might mean in the context of cyber operations:

  1. A State organ conducting cyber operations against a target State or entities or persons located there while physically present in the target State's territory violates the target State's sovereignty.[22] This was agreed by all Experts drafting the Manual; however, “a few” of the Experts thought that the extensive State practice carved out an exception for espionage operations.[23]
  2. Causation of physical damage or injury by remote means;[24] again, “a few” Experts took the position that this is a relevant but not a determinative factor by itself.[25]
  3. Causation of a loss of functionality of cyber infrastructure: although the Tallinn Manual 2.0 experts agreed that a loss of functionality constituted “damage” and thus a breach of sovereignty, no consensus could be achieved as on the precise threshold for a loss of functionality (the necessity of reinstallation of operating system or other software was proposed but not universally accepted);[26] Below this threshold, there was no agreement among the Experts whether operations that do not cause physical consequences or a loss of functionality qualify as a violation of sovereignty.[27]
  4. Interference with data or services that are necessary for the exercise of "inherently governmental functions";[28] although the Experts could not conclusively define the term "inherently governmental functions", they agreed that, for example, the conduct of elections would so qualify.[29]
  5. Usurpation of "inherently governmental functions", such as exercise of law enforcement functions in another State’s territory without justification.[30]

The Tallinn Manual’s view of what constitutes a violation of sovereignty has been expressly endorsed by several States including Germany[31] and the Netherlands.[32] An alternative test has been proposed by France, which argues that a breach of sovereignty occurs already when there is “any unauthorised penetration by a State of [the victim State’s] systems”.[33]

Attributing the relevant cyber operation to a State different from the target State is a necessary prerequisite for qualifying the cyber operation as a violation of the target State's sovereignty.

Whether non-State actors can violate territorial sovereignty on their own is a matter of disagreement.[34]

Appendices

See also

Notes and references

  1. Island of Palmas (Neth. v. U.S.), 2 RIAA 829, 838 (Perm. Ct. Arb. 1928).
  2. UNGA Res 71/237 (30 December 2015) UN Doc A/RES/20/237.
  3. North Atlantic Treaty Organization, 'Wales Summit Declaration' (issued by the Head of State and Government participating in the meeting of the North Atlantic Council in Wales (5 September 2015) para 72.
  4. Organization for Security and Cooperation in Europe, Decision No. 1202, OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies (Permanent Council, 10 March 2016) PC.DEC/1202.
  5. Council of the European Union,"Council Conclusions on the Joint Communication to the European Parliament and the Council: Resilience, Deterrence and Defence: Building strong cybersecurity for the EU" (Council conclusions, 20 November 2017).
  6. Michael N Schmitt, 'Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law' (2018) 19 ChiJIntlL 30,40; Tallinn Manual 2.0, commentary to rule 4, para 2 (‘States shoulder an obligation to respect the sovereignty of other States as a matter of international law’).
  7. Austria, Pre-Draft Report of the OEWG - ICT: Comments by Austria (31 March 2020), stating that ‘a violation of the principle of State sovereignty constitutes an internationally wrongful act – if attributable to a State – for which a target State may seek reparation under the law of State responsibility’.
  8. Czech Republic, Statement by Mr. Richard Kadlčák, Special Envoy for Cyberspace, 2nd substantive session of the Open-ended Working Group on developments in the field of information and telecommunications in the context of international security (11 February 2020), stating that ‘[t]he Czech Republic concurs with those considering the principle of sovereignty as an independent right and the respect to sovereignty as an independent obligation.’
  9. Finland, ‘International law and cyberspace: Finland’s national positions’ (15 October 2020), 3, stating that ‘Finland sees sovereignty as a primary rule of international law, a breach of which amounts to an internationally wrongful act and triggers State responsibility. This rule is fully applicable in cyberspace.’
  10. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’, 9 September 2019, stating that ‘Any unauthorised penetration by a State of French systems or any production of effects on French territory via a digital vector may constitute, at the least, a breach of sovereignty’.
  11. Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), p. 3, noting that ‘Germany agrees with the view that cyber operations attributable to States which violate the sovereignty of another State are contrary to international law’.
  12. Iran, ‘Declaration of General Staff of the Armed Forces of the Islamic Republic of Iran Regarding International Law Applicable to the Cyberspace’ (July 2020), para 4 (‘Any utilization of cyberspace if and when involves unlawful intrusion to the (public or private) cyber structures which is under the control of another state, maybe constituted as the violation of the sovereignty of the targeted state.’).
  13. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019), stating that ‘countries may not conduct cyber operations that violate the sovereignty of another country’.
  14. Gary P. Corn and Robert Taylor, ‘Sovereignty in the Age of Cyber’ (2017) 111 AJIL Unbound 207, 208 (arguing that sovereignty is ‘a principle of international law that guides state interactions’).
  15. Jeremy Wright, ‘Cyber and International Law in the 21st Century’ (23 May 2018) (stating that he was ‘not persuaded that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention. The UK Government’s position is therefore that there is no such rule as a matter of current international law’); see also Memorandum from JM O’Connor, General Counsel of the Department of Defense, ‘International Law Framework for Employing Cyber Capabilities in Military Operations’ (19 January 2017) (considering that sovereignty is not ‘a binding legal norm, proscribing cyber actions by one State that result in effects occurring on the infrastructure located in another State, or that are manifest in another State’), as cited by Sean Watts & Theodore Richard, 'Baseline Territorial Sovereignty and Cyberspace' (2018) 22 Lewis & Clark L. Rev. 771, 829.
  16. Paul C. Ney, DOD General Counsel Remarks at U.S. Cyber Command Legal Conference, 2 March 2020, arguing that ‘the Department believes there is not sufficiently widespread and consistent State practice resulting from a sense of legal obligation to conclude that customary international law generally prohibits such non-consensual cyber operations in another State’s territory’.
  17. Cf. James Crawford, Brownlie's Principles of Public International Law (OUP 2012) 448.
  18. Tallinn Manual 2.0, rule 2.
  19. Sovereignty over cyber infrastructure derives from the traditional concept of sovereignty, independent of the use of cyberspace. See Wolff Heintschel von Heinegg, 'Territorial Sovereignty and Neutrality in Cyberspace' (2013) 89 Int’l L. Stud. 123 (noting that '[t]erritorial sovereignty [..] implies that, subject to applicable customary or conventional rules of international law, the State alone is entitled to exercise jurisdiction, especially by subjecting objects and persons within its territory to domestic legislation and to enforce these rules.')
  20. UN GA Res 2625 (XXV) (24 October 1970) (Friendly Relations Declaration), preamble (emphasizing “that the purposes of the United Nations can be implemented only if States enjoy sovereign equality and comply fully with the requirements of this principle in their international relations”); Tallinn Manual 2.0, rule 4.
  21. Tallinn Manual 2.0, commentary to rule 4, para 5 and 12.
  22. See, eg, Certain Activities Carried Out by Nicaragua in the Border Area (Costa Rica v Nicaragua) and Construction of a Road in Costa Rica along the San Juan River (Nicaragua v Costa Rica) (Judgment) [2015] ICJ Rep 665, 704–05, paras 97–99 (holding that the presence of Nicaragua’s military personnel in the territory under Costa Rica’s sovereignty amounted to a violation of Costa Rica’s territorial sovereignty); see also Tallinn Manual 2.0, commentary to rule 4, para 6.
  23. Tallinn Manual 2.0, commentary to rule 4, para 7; commentary to rule 32, para 9.
  24. Tallinn Manual 2.0, commentary to rule 4, para 11.
  25. Tallinn Manual 2.0, commentary to rule 4, para 12.
  26. Tallinn Manual 2.0, commentary to rule 4, para 13.
  27. Tallinn Manual 2.0, commentary to rule 4, para 14.
  28. Tallinn Manual 2.0, commentary to rule 4, para 15.
  29. Tallinn Manual 2.0, commentary to rule 4, para 16.
  30. Tallinn Manual 2.0, commentary to rule 4, para 18.
  31. Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), p. 4.
  32. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019), p. 3.
  33. French Ministry of the Armies, International Law Applied to Operations in Cyberspace, p. 6.
  34. In favour: see, eg, Theodore Christakis, ‘The ICJ Advisory Opinion on Kosovo: Has International Law Something to Say about Secession?’ (2011) 24 LJIL 73, 84; Marcelo Kohen, ‘The Court’s Contribution to Determining the Content of Fundamental Principles of International Law’ in Giorgio Gaja and Jenny Grote Stoutenburg (eds), Enhancing the Rule of Law through the International Court of Justice (Brill 2012) 145. Against: see, eg, Tallinn Manual 2.0, commentary to rule 4, para 3.

Bibliography and further reading

With regard to incidents 1–3, the answer depends on whether the espionage operation was fully conducted from outside of State A’s territory, or whether a part of it was conducted by operators physically located in State A’s territory. In the latter case, the operation could be considered a violation of sovereignty, and hence State B’s breach of its corresponding international obligation (option 1 above).[1]

Taken separately, the publication of the acquired data (incident 4) would not violate the sovereignty of State A. Had the published information been classified in State A, then the publication is likely illegal according to State A’s domestic law; State A can also be party to international agreements which regulate the transfer of its classified information to third parties, which may create obligations for third States with regard to this information.[2]

Prohibited intervention

In the present scenario, prohibited intervention could also be a relevant qualification. The incidents encroach on State A’s external affairs which are the sole prerogative of State A. However, incidents 1–3 do not contain the element of coercion, because they are conducted merely with the aim to gather information, which does not compel State A to adapt the conduct of its external affairs.[3]

As for incident 4, if it can be attributed to State B, it is coercive in the sense that it has the potential to cause State A to adapt its external affairs based on the published information and to contain the relevant political damage. It may be harder for State A to ascertain the intent of State B, which might have had no particular outcome in mind, apart from causing mischief. This might also pose an issue for establishing the causal nexus between State B’s activity and the resulting reaction by State A: the causality might not be deemed direct enough.

Espionage

In general

Peacetime cyber espionage
Peacetime espionage has been traditionally considered as unregulated by international law. This is also reflected in the Tallinn Manual 2.0, which posits that ‘[a]lthough peacetime cyber espionage by States does not per se violate international law, the method by which it is carried out might do so.’[4]

However, the methods of peacetime cyber espionage are varied and the legal consensus is almost non-existent with regard to cyber operations below the threshold of use of force or armed attack.

It must be noted that although cyber espionage operations are generally not illegal from the perspective of international law, they are usually prohibited according to the domestic law of the target State. Moreover, the acting State’s authorities will also typically be subject to specific domestic law prescriptions pertaining to the conduct of foreign intelligence operations.

Conversely, the mere fact that an operation is a cyber espionage operation does not make it legal in international law, according to a majority of the experts drafting Tallinn Manual 2.0.[5] According to a minority of the experts, espionage creates an exception for certain otherwise illegal cyber operations.[6]

Economic cyber espionage

Economic cyber espionage
The United States has, already in its 2011 International Strategy for Cyberspace, declared that it “will take measures to identify and respond to [persistent theft of intellectual property, whether by criminals, foreign firms, or state actors working on their behalf,] to help build an international environment that recognizes such acts as unlawful and impermissible, and hold such actors accountable.”[7] The G20 countries reaffirmed in 2015 that “no country should conduct or support ICT-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”[8] In September 2015, the US and China agreed on a similar commitment on a bilateral basis.[9]

Therefore, there is a push to curb the practice by developing a prohibition of such practice as a matter of international law.

However, according to the prevailing opinion, no such prohibition has crystallised in customary international law. In this regard, it is noteworthy that the 2015 UN GGE report does not mention economic cyber espionage among the applicable norms, rules, and principles of responsible State behaviour in cyberspace.[10] Several authors,[11] including experts of the Tallinn Manual 2.0,[12] consider that there is no distinction between economic cyber espionage and other forms of cyber espionage in general international law.[13] Additionally, no international consensus exists that agreements such as the WTO TRIPS[14] protect trade secrets against espionage conducted by a foreign state, and it is unclear whether the affected company can challenge the spying State in a domestic court or pursuant to a bilateral investment treaty, if there is one.[15]

Accordingly, such conduct is not subject to any general prohibition under extant international law.

Appendixes

See also

Notes and references

  1. Tallinn Manual 2.0, commentary to rule 4, para. 6-7; commentary to rule 32, para. 9.
  2. See, for example, Agreement between the government of the United Kingdom of Great Britain and Northern Ireland and the government of the French Republic concerning the mutual protection of classified information (signed on 27 March 2008 in London, entered into force 1 December 2008, France No. 1 (2008), Cm. 7425, available at [1].
  3. Tallinn Manual 2.0, commentary to rule 66, para. 33.
  4. Tallinn Manual 2.0, rule 32.
  5. Tallinn Manual 2.0, rule 32 and commentary to rule 32, para 6.
  6. Id.; Ashley Deeks, 'An International Legal Framework for Surveillance' (2015) 55 VA.J.INT’LL. 291, 302-3.
  7. President of the United States, ‘International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World’ (2011).
  8. G20 Leaders’ Communiqué (15–16 November 2015), para 26; see also G7 Principles and Actions on Cyber (Annex to the Ise-Shima Declaration from 27 May 2016).
  9. See US, ‘FACT SHEET: President Xi Jinping’s State Visit to the United States’ (25 September 2015).
  10. UNGA ‘Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security’ (22 July 2015), A/70/174.
  11. Catherine Lotrionte, ‘Countering State-Sponsored Cyber Economic Espionage Under International Law’ (2015) 40 N.C. J. INT'L L. & COM. REG. 443, 488-492; David Fidler, ‘Economic Cyber Espionage and International Law: Controversies Involving Government Acquisition of Trade Secrets through Cyber Technologies’ (2013) 17/10 ASIL Insights; Erica Häger & Carolina Dackö, ‘Economic Espionage: A Report by Mannheimer Swartling’ (2018).
  12. Tallinn Manual 2.0, rule 32, commentary 3.
  13. For an opposing view, see Russell Buchan, ‘The International Legal Regulation of State-Sponsored Cyber Espionage’ (2016) in International Cyber Norms: Legal, Policy & Industry Perspectives, Anna-Maria Osula and Henry Rõigas (Eds.), NATO CCD COE Publications, Tallinn 2016.
  14. Agreement on Trade-Related Aspects of Intellectual Property Rights, Annex 1C to the Agreement Establishing the World Trade Organization (signed on 15 April 1994 in Marrakesh), 1869 UNTS 299, 33 ILM 1197.
  15. Erika Häger & Carolina Dackö, ‘Economic Espionage: A Report by Mannheimer Swartling’ (2018), page 5: “Economic espionage, to the extent it qualifies as a violation of intellectual property rights, should arguably be treated as an act comparable to commercial activities, jure gestionis. A [S]tate would then not be able to claim state immunity for such acts and could thus instead face a normal trial in a domestic court.“

Bibliography and further reading

As this overview demonstrates, the mere characterization of a cyber operation as amounting to cyber espionage is not conclusive as to the question of its lawfulness under international law.[1] Reference must be had to specific rules of international law, which may be breached by the operation in question in its specific circumstances (see especially Sovereignty and Prohibited intervention above). It may be noted that there is a view that acts of espionage represent a customary exception to the relevant prohibitions.[2] However, this interpretation would amount to the establishment of a novel circumstance precluding wrongfulness, for which there is no evidence in international law. Accordingly, the lawfulness of incidents 1–4 therefore must be assessed with reference to other applicable international legal rules.

Due diligence

The due diligence obligation of State B for the abovementioned incidents is superseded by its direct responsibility for the activities of its governmental organs. On State B’s part, there is no omission, but rather a commission of an internationally wrongful act.[3]

Checklist

  • Do the affected materials come under the duty of inviolability?
  • Does the exfiltration and publication of data violate the sovereignty of the victim State?
  • Does the exfiltration and publication of data amount to a prohibited intervention?
  • Is the fact that part of the operation is cyber espionage an important circumstance for the il/legality of the operation?

Appendixes

See also

Notes and references

  1. See also Tallinn Manual 2.0, commentary to rule 32, para. 6 (“By styling a cyber operation as a ‘cyber espionage operation’, a State cannot ... claim that it is by definition lawful under international law; its lawfulness depends on whether the way in which the operation is carried out violates any international law obligations that bind the State.”).
  2. See, for example, Tallinn Manual 2.0, commentary to rule 32, para. 9; A Deeks, “An International Legal Framework for Surveillance”, (2015) 55 Va J Int’l L 291, 302.
  3. Tallinn Manual 2.0, commentary to rule 6, para. 43.

Bibliography and further reading

  • MN Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017)
  • Etc.

External links

  • (...)


Original text by: Tomáš Minárik

Reviewed by: [TBC]