Scenario 03: Cyber operation against the power grid

Revision as of 15:37, 29 August 2018 by Kubomacak (talk | contribs) (Created page with "[INSERT PHOTO] Intelligence services of State B compromise the supply chain of an industrial control system in State A, thereby gaining access to a part of its electric power...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

[INSERT PHOTO] Intelligence services of State B compromise the supply chain of an industrial control system in State A, thereby gaining access to a part of its electric power grid. Subsequent attacks bring down the grid, leading to prolonged blackouts. The scenario considers whether such incidents may violate, among others, the prohibition of the use of force in international relations, the prohibition of intervention in the internal affairs of States, and the obligation to respect the sovereignty of other States. Specific consideration is given to the existence of a standalone obligation to refrain from attacking critical infrastructure of other States through cyber means.

Scenario

Keywords

Critical infrastructure, intervention, sovereignty, use of force

Facts

Government-owned company X is responsible for the distribution of electricity across a large part of the territory of State A. Accordingly, its infrastructure has been designated as “critical national infrastructure” by the domestic law.

Delivery of computers procured as part of the modernisation of the industrial control systems (ICS) used by company X is, unbeknownst to either of the contractual parties, compromised by attackers who succeed in installing concealed remote-control equipment in the computers in question. Once the computers are integrated in the ICS, the attackers are able to remotely monitor the activities in the technical control centre and to assume control over the infrastructure of company X without the staff knowing.

In the meantime, the relationship between States A and B, frail due to a shared history and a complicated ethnic composition of State A, whom State B periodically accuses of mistreating its large ethnic minority, significantly deteriorates. At one point, the distribution of power to tens of thousands of households in State A suddenly comes to a halt.

Initially, the technical control centre staff at company X are unable to locate the source of the problem. All reports generated by the ICS suggest normal operation. The controllers are unable to fix the problem remotely and technicians have to be dispatched to individual locations to perform a manual restart and thus to gradually restore the functionality of the network. In the meantime, the government sends its emergency responders and provides generators to the most affected residents.

As a consequence of the operation, many households are left without electricity for days, resulting in significant inconvenience for the local residents. However, the power cuts are limited to residential areas and no physical damage or personal injury is reported from any of the affected areas.

Much later, the source of the vulnerability is identified and the remote-control equipment is found and removed from the ICS at company X. Forensic analysis of the removed equipment determines that it was designed, installed, and controlled by the intelligence services of State B. State A is a member of a collective self-defence alliance O.

Examples

  • [YEAR] Black Energy
  • [YEAR] Stuxnet
  • [YEAR] Steel mill in Germany

Legal analysis

The analysis in this scenario focusses on the responsibility of State B for potential violations of international law as against State A. It assumes that the cyber operation against company X was attributable to State B. Given the facts of the scenario, this assumption is not particularly controversial. As noted, the technical investigation of the incident showed that the equipment used to compromise the grid had been installed by the intelligence service of State B. Pursuant to Article 4 of the ILC Articles on State Responsibility for Internationally Wrongful Acts, the conduct of any State organ, irrespective of its position within the State, its functions and its character as an organ within the central government or territorial unit, shall be considered an act of that State. Intelligence services undoubtedly form part of the executive power and their conduct is thus attributable to the relevant State under Article 4. Accordingly, the remainder of the analysis considers which specific rules of international law, if any, may have been breached by the operation in question.

Use of force

Article 2(4) of the UN Charter prescribes States to “refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the purposes of the United Nations”.[1] This prohibition is reflective of customary international law[2] and it is frequently described as a peremptory norm of international law.[3] However, the notion of “force” in this context is limited to armed force[4], and to operations whose scale and effects are comparable to the use of armed force.[5]

At present, the law is unsettled on the issue whether cyber operations with no physical effects may amount to a prohibited use of force. It has been argued that disruptive cyber operations of this kind fall under the scope of Article 2(4) if the resulting disruption is “significant enough to affect state security”.[6] Undoubtedly, one of the purposes of the prohibition of force under international law is to safeguard the national security of the potentially affected States.[7] However, many forms of outside interference including various forms of political and economic coercion may affect the national security of the victim State. And yet, the drafters of the UN Charter had expressly rejected the proposal to extend the prohibition of force beyond the strict confines of military (or armed) force.[8]

Admittedly, the notion of “force”, like other generic terms in treaties of unlimited duration, should be presumed to have an evolving meaning.[9] However, there is little State practice supporting the claim that its meaning has by now evolved to include non-destructive cyber operations against critical national infrastructure.[10] In fact, to date no victim State of an operation of this kind has suggested that the operation would have amounted to a use of force.[11]

  1. UN Charter, Art 2(4).
  2. ICJ, Military and Paramilitary Activities in and against Nicaragua (Nicaragua v US) (Merits) [1986] ICJ Rep 14, paras 187–90; Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory (Advisory Opinion) [2004] ICJ Rep 136, para 87.
  3. See, eg, ILC Yearbook of the ILC, 1966, vol II, 247 (“the law of the Charter concerning the prohibition of the use of force in itself constitutes a conspicuous example of a rule in international law having the character of jus cogens”); Gray __; Corten __; O Dörr and A Randelzhofer, ‘Article 2(4)’ in B Simma et al (eds), The Charter of the United Nations: A Commentary (3rd edn, OUP 2012) vol I, 231, para 67 (“the prohibition of the use of force laid down in Art. 2 (4) is usually acknowledged in State practice and legal doctrine to have a peremptory character, and thus to be part of the international ius cogens”).
  4. O Dörr and A Randelzhofer, ‘Article 2(4)’ in B Simma et al (eds), The Charter of the United Nations: A Commentary (3rd edn, OUP 2012) vol I, 208, para 16 (“The term [‘force’] does not cover any possible kind of force, but is, according to the correct and prevailing view, limited to armed force.”).
  5. Cf. Tallinn Manual 2.0, rule 69 (“A cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.”).
  6. M Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014) 55.
  7. [ADD REF].
  8. Documents of the United Nations Conference on International Organization (1945), vol VI, 334.
  9. Cf. ICJ, Dispute regarding Navigational and Related Rights (Costa Rica v Nicaragua) Judgment [2009] ICJ Rep 213, para 66 (“[W]here the parties have used generic terms in a treaty, the parties necessarily having been aware that the meaning of the terms was likely to evolve over time, and where the treaty has been entered into for a very long period or is ‘of continuing duration’, the parties must be presumed, as a general rule, to have intended those terms to have an evolving meaning”).
  10. However, such claims are occasionally made in the scholarship: see, eg, M Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014) 59; [ADD FURTHER REF].
  11. [ADD REF].