Scenario 04: A State’s failure to assist an international organization
An international organization falls victim to cyber attacks, the impact of which could and should have been averted by the host state. The scenario explores the obligation of due diligence on the part of the host state and whether and under what circumstances the international organization may resort to countermeasures.
Countermeasures, international organisation, legal personality, malware
The regional headquarters (RHQ) of the international organization Z is located in State A, which is also a Member State of the organization. The status of the RHQ is governed by a host agreement between State A and organization Z. The agreement establishes, among other things, (1) a scheme of regular monthly payments by organization Z to State A in return for the provision of communications, security, and other services; and (2) a duty of State A to “render all practicable assistance to [organization Z] in the fulfilment of its functions, including […] the provision of security of communications and information systems”.
In the meantime, security researchers at a government CERT in State B, which is not a Member State of organization Z, discover a large-scale APT attack that targets several public and private institutions in various countries. After they determine that the computer network of organization Z’s RHQ in State A has also been compromised, they submit a confidential report of their findings to the CERT in that State including recommendations of specific measures to be taken.
Several days later, all RHQ computers are paralysed by data encrypting ransomware and it is later confirmed that the malware does not actually preserve the encryption key and that therefore all encrypted data has been irretrievably lost.
The fact that all RHQ staff were locked out of their devices, combined with the loss of data, means that the international organization experiences a significant disruption to its activities in the entire region. The independent confidential report is soon leaked to the press, exposing the State A as having left the organisation “at the mercy” of foreign hackers.
Aggrieved by these revelations, the organization ceases all payments to State A and issues a public statement noting that it does not intend to reinstate the payments until the State compensates it for all damage incurred by the cyber attack and provides credible reassurance that an incident of this kind will not happen in the future. The origin of the attack remains unknown.
- 1718 sanctions committee hack (2016)
- NotPetya (mock ransomware) (2017)
- WannaCry (2017)
- African Union headquarters hack (2018)
- Attempted hack of the OPCW (2018)
For a general overview of the structure of analysis in this section, see Note on the structure of articles.
The analysis in this scenario first considers whether State A violated any of its international obligations owed to international organization Z. In the second section, it zones in on the question whether the measures the organization took in response can be qualified as lawful countermeasures against State A.
Breach of obligations owed to international organizations
It has long been established that international organizations may possess legal personality under international law. Those that do, qualify as subjects of international law and are therefore capable of possessing international rights and duties. Although the legal personality of some organizations may pose particular problems, if a State concludes an agreement with an international organization, it clearly thereby recognizes its legal personality. It follows that the legal personality of organization Z was at least implicitly recognized by State A by virtue of the conclusion of the host agreement.
There is no general rule of international law that would prohibit the interference with the cyber infrastructure of an international organization. Cyber operations against the infrastructure of an international organization located in the territory of a particular State may simultaneously infringe international legal rights of that State, which then becomes entitled to respond to the breach. However, that solution is manifestly not available in a situation where the potentially responsible party is the territorial State itself—as in the present scenario. In other words, a specific obligation owed by the State to the organization must be identified.
An obligation of this kind may arise from an international treaty between a State and an international organization. State A is indeed under the duty to “render all practicable assistance to [organization Z] in the fulfilment of its functions, including […] the provision of security of communications and information systems”, an obligation paralleled in other existing host agreements.
Firstly, the obligation of State A to provide all practicable assistance to international organization Z is an obligation of conduct and not of result. State A is thus not responsible for the fact that negative consequences had materialized in the form of the loss of data and the need to repair the attacked cyber infrastructure belonging to organization Z. However, State A was informed by the CERT in State B of the risk that malicious actors may soon seize control over the computers in the regional office. Accordingly, the State’s failure to act on the report in any way whatsoever is legally relevant. Irrespective of the factual consequences of the State’s conduct, it will be in breach of its obligation if its actual conduct does not correspond to the conduct required by the obligation.
Secondly, whether a State’s actual conduct corresponds with that required by an obligation of conduct is determined by reference to the criterion of due diligence.
Thirdly, although the extent of required conduct will vary from case to case, if a State fails to act altogether in spite of a real possibility that its inaction would adversely affect the beneficiary of the obligation, then it will clearly not have met the due diligence criterion.
Whether an obligation subject to a relative standard such as “practicability”, “feasibility”, or “reasonableness” has been complied with must be assessed on a case-by-case basis in light of all attendant circumstances.
Applied to the present scenario, the above considerations lead to a conclusion that State A did not meet the standard of due diligence against which its compliance with the obligation to render all practicable assistance is measured. As such, State A violated its obligation owed to international organization Z under the host agreement. Moreover, this violation was of a continuing character, persisting for as long as State A’s inaction inconsistent with its international obligations continued.
Countermeasures by international organizations
This section focusses on the question whether, and to what extent, international organization Z may respond to the breach of the host agreement by State A by taking measures that would otherwise be unlawful under international law. Conversely, it does not consider the related question of suspension or termination of treaty relations between State A and international organization Z on account of a supposed material breach of the host agreement.
To begin with, it follows from the fact of an international organization’s legal personality that if its rights had been infringed by another subject of international law, the organization must have the right to invoke that subject’s international responsibility. In particular, the organization may demand the cessation of the internationally wrongful act as well as reparation for the injury suffered. However, it is not universally accepted that an international organization may resort to countermeasures in order to procure such cessation and/or reparation. Those who object against such capacity on part of international organizations under the extant international law point to insufficient practice in the area. However, in the decentralized international legal order, the right to invoke the responsibility of other subjects must entail the right to resort to the permissible means of enforcement that have evolved under international law. To hold otherwise would be to deprive international organizations of the ability to effectively protect their rights and thus to nullify the legal effect of their legal personality. The view that international organizations may take countermeasures is additionally supported by the International Law Commission and several international organizations and States.
The interruption of payments owed to State A under the terms of the host agreement amounts to a clear breach of organization Z’s international obligations. In order for this conduct to be considered a countermeasure and, as such, internationally lawful, several conditions must be fulfilled.
In particular, the injured international organisation must first call upon the responsible party to fulfil its obligations of cessation and reparation, and it must notify the latter of its intention to take countermeasures, while offering to negotiate (condition 1); any countermeasures taken must comply with the principle of proportionality (condition 2); they must be, as far as possible, temporary in nature and terminate as soon as the responsible party has fulfilled its relevant obligations (condition 3); and they must not violate obligations under peremptory norms of general international law (condition 4).
In the present case, condition 1 appears not to have been met: international organization Z would have been advised to communicate its demands and intentions to State A prior to interrupting the payments required under the host agreement. Exceptionally, the injured party may dispense with the notification requirement and take “urgent countermeasures”, but this exception is limited to those measures that are necessary to preserve that entity’s rights. No such urgency seems to be substantiated under the terms of the scenario. Moreover, the UK Attorney General has recently suggested that the notification requirement may not apply in the cyber context if it entailed the exposition of “highly sensitive capabilities in defending the country”. Whatever the status of this supposed additional exception under international law, it would clearly be inapplicable to the present set of facts.
Condition 2 requires that any countermeasures taken must be commensurate with the injury suffered, taking into account the gravity of the internationally wrongful act and the rights in question. This requirement of proportionality does not imply that the response must be equivalent, reciprocal or even in-kind: “[n]on-cyber countermeasures may be used in response to an internationally wrongful act involving cyber operations, and vice versa”. In the present case, international organization Z would likely be able to make a solid case that the measures it took in response were proportionate to the injury suffered. This is because until the effects of the malicious cyber operation against it are remedied, the organization will not be able to resume its activities. Accordingly, the cessation of payments to State A for the provision of communications, security, and other services appears to be directly tied to the rights infringed and not excessive to what is needed for the vindication of those rights. As such, the measures taken by Z can be considered as compliant with the criterion of proportionality.
Condition 3 requires that countermeasures must be terminated as soon as the responsible party has complied with its cessation and reparation obligations. In this regard, the statement by international organization Z seems to closely follow the relevant legal requirements. As noted above, at that time, State A’s inaction qualified as a breach of its international obligations having a continuing character. Suppose that State A would subsequently agree to provide adequate reparation by, for example, repairing the damaged cyber infrastructure, paying appropriate compensation, and introducing effective measures to avoid the repetition of similar incidents. In that case, any countermeasures would no longer be justified and international organization Z would have to resume all its duties under the host agreement.
The described countermeasures do not violate obligations under peremptory norms (condition 4).
In conclusion, although organization Z was in principle entitled under international law to resort to countermeasures, under the circumstances of the present scenario, the cessation of payments to State A did not meet one of the necessary criteria (condition 1 above) and as such it amounted a violation of international law by the organization.
- Does the international organization in question possess international legal personality?
- Does the constituent instrument of the international organization contain any relevant duties owed to it by its member States?
- Do the relevant obligations qualify as obligations of conduct or result?
- Would the measures taken in response by the international organization amount to a breach of its obligations to the acting State?
- Can the measures taken in response be qualified as lawful countermeasures against the acting State?
- Scenario 06: Cyber countermeasures against an enabling State
- Scenario 11: Sale of surveillance tools in defiance of international sanctions
Notes and references
- Reparation for Injuries Suffered in the Service of the United Nations (Advisory Opinion)  ICJ Rep 174, 179.
- Reparation for Injuries Suffered in the Service of the United Nations (Advisory Opinion)  ICJ Rep 174, 179; cf. also Article 2 DARIO (defining an IO as being ‘established by a treaty or other instrument governed by international law and possessing its own international legal personality’) (emphasis added).
- See, eg, N White, The Law of International Organizations (2nd edn, Juris 2005) 30–69.
- Cf. Sixth report on unilateral acts of States, by Mr. Victor Rodríguez Cedeño, Special Rapporteur, UN Doc A/CN.4/534 (30 May 2003), p. 58, para. 28 (“When a State … concludes an agreement with an entity that it has not recognized as such, it will be recognizing it from that point in time onwards or from the point in time at which the act is established.”).
- Cf. Tallinn Manual 2.0, part I, chapter 4, section 4, chapeau, para. 9 (noting that the territorial State may assert a violation of its own sovereignty by virtue of the operation’s destructive effects that manifest on its territory; and that it may use force to respond in self-defence if the cyber operation rises to the level of an armed attack).
- Cf. Reparations for Injuries, 182 (requiring “that the injury for which the reparation is demanded arises from a breach of an obligation designed to help an agent of the Organization in the performance of his duties” while noting that it would not be sufficient for the wrongful act or omission to “merely constitute a breach of the general obligations of a State”).
- [ADD REF TO HOST AGMTS]; see also UN Charter, Art 2(5) (“All Members shall give the United Nations every assistance in any action it takes in accordance with the present Charter”).
- R Wolfrum, ‘Obligation of Result Versus Obligation of Conduct: Some Thoughts About the Implementation of International Obligations’ in MH Arsanjani et al, Looking to the Future: Essays on International Law in Honor of W. Michael Reisman (Brill 2010) 375–76.
- A government-run CERT is undoubtedly an organ of the State and its action or inaction is thus fully attributable to the State in question. See also Articles on State Responsibility, commentary to Art. 4, para. 6 (noting that “the reference to a State organ in article 4 is intended in the most general sense”).
- Articles on State Responsibility, Art. 12.
- J Kulesza, Due Diligence in International Law (Brill 2016) 266 (“The principle of due diligence applied to the obligations of conduct serves as criteria for assessing state compliance with a given duty, regardless of the consequences of a particular state action or omission.”). The notion of due diligence understood in this sense (i.e., as a standard against which the compliance with a duty is assessed) should be distinguished from the self-standing obligation of due diligence understood as a duty of each State not to allow its territory to be used in a way that affects the rights of other States. Due diligence in this latter sense is considered in particular in scenarios .
- Cf. Tallinn Manual 2.0, commentary to rule 7, para. 2 (“The due diligence principle is a legal obligation that is violated by omission. In this regard, omission not only encompasses inaction, but also the taking of ineffective or insufficient measures when other more appropriate measures are feasible, that is, reasonably available and practicable.”) (emphasis added).
- Cf. Interpretation of the Agreement of 25 March 1951 between the WHO and Egypt, Advisory Opinion,  ICJ Rep 96, para. 49 (“[W]hat is reasonable and equitable in any given case must depend on its particular circumstances.”); Wemhoff v Germany, para. 10 (“reasonableness … must be assessed in each case according to its special features”).
- Cf. Articles on State Responsibility, Art. 14(2) (“The breach of an international obligation by an act of a State having a continuing character extends over the entire period during which the act continues and remains not in conformity with the international obligation.”).
- See also ILC Draft Articles on State Responsibility, Part Three, chapter II, para. 4 (“Countermeasures are to be clearly distinguished from the termination or suspension of treaty relations on account of the material breach of a treaty by another State, as provided for in article 60 of the 1969 Vienna Convention. Where a treaty is terminated or suspended in accordance with article 60, the substantive legal obligations of the States parties will be affected, but this is quite different from the question of responsibility that may already have arisen from the breach.”).
- See, eg, Tallinn Manual 2.0, commentary to rule 31, para. 27 in fine (“Other Experts in the majority did not subscribe to this view, again citing the lack of practice in the area.).
- Cf. F Dopagne, ‘Sanctions and Countermeasures by International Organizations’, in R Collins and N White (eds) International Organizations and the Idea of Autonomy (Routledge 2011) 181.
- See, ILC Draft Articles on the Responsibility of International Organizations, Art. 51, paras. 1–3; see also ILC Yearbook 1979 II-1 at 44 para 94 (“we might hypothesize the simpler case where [an international] organization denies to a State which has seriously and persistently violated an obligation towards the organization itself, the financial or technical assistance which the latter has pledged to provide under the terms of an agreement. In such a situation, it is surely beyond doubt that such measures would not be wrongful.”)
- Articles on State Responsibility, Art. 52(1)(a); according to DARIO Commentary, Article 22 commentary 2, ASR are applied per analogiam, because DARIO do not regulate additional conditions for countermeasures of international organisations against States, only vice versa: compare DARIO Part Four, Art. 43-57.
- Articles on State Responsibility, Art. 52(1)(b) per analogiam.
- Articles on State Responsibility, Art. 51 per analogiam.
- Articles on State Responsibility, Art. 49(2) and (3) per analogiam.
- Articles on State Responsibility, Art. 53 per analogiam.
- Articles on State Responsibility, Art. 50 per analogiam.
- UK Attorney General speech 2018 (“The covertness and secrecy of the countermeasures must of course be considered necessary and proportionate to the original illegality, but we say it could not be right for international law to require a countermeasure to expose highly sensitive capabilities in defending the country in the cyber arena, as in any other arena.”).
- Articles on State Responsibility, Art. 51 per analogiam.
- Tallinn Manual 2.0, rule 23, para. 7.
- Cf. Articles on State Responsibility, Art. 14(2) (on obligations having a continuing character); see also section “Breach of obligations owed to international organizations” above.
Bibliography and further reading