Difference between revisions of "Scenario 03: Cyber operation against the power grid"

Jump to navigation Jump to search
(integrating review CS)
[[File:Power Grid - Flickr - brewbooks (1).jpg|thumb|Power lines near Mansfield, Washington. Photo by [https://www.flickr.com/people/93452909@N00 brewbooks].]]
Intelligence services of onea State compromise the supply chain of an industrial control system in another State, thereby gaining access to a part of its electric power grid. Subsequent attacks bring down the grid, leading to prolonged blackouts. The scenario considers whether such incidents may violateamount to, among others, thea prohibition of theprohibited use of force in international relations, the prohibition ofan intervention in the internal affairs of Statesanother State, andor thea obligationviolation to respectof the sovereignty of otheranother StatesState. Specific consideration is given to thewhether existencethere ofexists a standalone obligation to refrain from attacking critical infrastructure of other States through cyber means.
== Scenario ==
Initially, the technical control centre staff at company X are unable to locate the source of the problem. All reports generated by the ICS suggest normal operation. The controllers are unable to fix the problem remotely and technicians have to be dispatched to individual locations to perform a manual restart and thus to gradually restore the functionality of the network. In the meantime, the government sends its emergency responders and provides generators to the most affected residents.
As a consequence of the operation, many households are left without electricity for days, resulting in significant inconvenience for the local residents as well as some economic damage to company X and other actors in State A’s territory, including the State itself. However, the power cuts are limited to residential areas and no physical damage or personal injury is reported from any of the affected areas.
Much later, the source of the vulnerability is identified and the remote-control equipment is found and removed from the ICS at company X. Forensic analysis of the removed equipment determines that it was designed, installed, and controlled by the intelligence services of State B. State A is a member of a collective self-defence alliance O.
''For a general overview of the structure of analysis in this section, see [[Note on the structure of articles]].''
The analysis in this scenario focusses on the responsibility of State B for potential violations of international law as against State A. It assumes that the cyber operation against company X was [[Attribution|attributable]] to State B. Given the facts of the scenario, this assumption is not particularly controversial. As noted, the technical investigation of the incident showed that the equipment used to compromise the grid had likely been installed by the intelligence service of State B. Pursuant to Article 4 of the ILC Articles on State Responsibility for Internationally Wrongful Acts, the conduct of any State organ, irrespective of its position within the State, its functions and its character as an organ within the central government or territorial unit, shall be considered an act of that State. Intelligence services undoubtedly form part of the executive power and their conduct is thus attributable to the relevant State under Article 4. Accordingly, the remainder of the analysis considers which specific rules of international law, if any, may have been breached by the operation in question.
=== Use of force ===
{{#lst:Use of force|Definition}}
The scenario notes that the cyber operation against company X had caused significant inconvenience to many households in State A. Theas blackoutwell must also have resultedas insome economic damage to companya Xnumber and otherof actors on State A’s territory, likely including the State itself. However, there is no indication of actual physical damage having occurred or of any injury to individuals as a result of the operation.  Therefore, the principal legal question is whether such forms of interference may be categorized as a use of force inconsistent with Article 2(4) of the UN Charter. As noted, the law is unsettled in this regard and a clear conclusion cannot be made at present.
In any event, the characterization of an incident of this nature as amounting to a use of force would be of limited consequence in the present scenario. This is because even if a particular act by a State qualifies as prohibited force, the victim State and its allies may only respond in self-defence if the said act is additionally of sufficient gravity to amount to an “armed attack”,<ref> [https://treaties.un.org/doc/publication/ctc/uncharter.pdf Charter of the United Nations] (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) Art 51. A minority view should be acknowledged here, according to which the right of self-defense potentially applies against any illegal use of force, irrespective of its qualification as an “armed attack”. See, eg, US DoD, ''[https://dod.defense.gov/Portals/1/Documents/pubs/DoD%20Law%20of%20War%20Manual%20-%20June%202015%20Updated%20Dec%202016.pdf?ver=2016-12-13-172036-190 Law of War Manual]'' (December 2016), para</ref> and even then, the permitted response is further limited by the conditions of necessity and proportionality.<ref> See, eg, ''[https://www.icj-cij.org/files/case-related/70/070-19860627-JUD-01-00-EN.pdf Military and Paramilitary Activities in and against Nicaragua] (Nicaragua v US)'' (Merits) [1986] ICJ Rep 14, para 194; ''[https://www.icj-cij.org/files/case-related/95/095-19960708-ADV-01-00-EN.pdf Legality of the Threat or Use of Nuclear Weapons Case]'' (Advisory Opinion) [1996] ICJ Rep 226, para 41; ''[https://www.icj-cij.org/files/case-related/90/090-20031106-JUD-01-00-EN.pdf Oil Platforms] (Iran v US)'' [2003] ICJ Rep 161, para 43.</ref> However, the lack of destructive effects in State A strongly militates against the qualification of the cyber operation by State B as an “armed attack” under international law.<ref> ''[https://www.icj-cij.org/files/case-related/70/070-19860627-JUD-01-00-EN.pdf Military and Paramilitary Activities in and against Nicaragua] (Nicaragua v US)'' (Merits) [1986] ICJ Rep 14, para 195 (holding that an operation must be characterized by sufficient “scale and effects” in order to qualify as an “armed attack”); but see [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 71, para 12 (noting that some experts held “the view that a cyber operation directed against a State’s critical infrastructure that causes severe, albeit not destructive, effects would qualify as an armed attack“).</ref>