Editing Scenario 05: State investigates and responds to cyber operations against private actors in its territory

Jump to navigation Jump to search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
__NUMBEREDHEADINGS__
 
 
[[File:The Bronze Soldier - panoramio.jpg|thumb|The Bronze Soldier statue in Tallinn, Estonia. Photo by Keith Ruffles (CC-BY 3.0 Unported).]]
 
[[File:The Bronze Soldier - panoramio.jpg|thumb|The Bronze Soldier statue in Tallinn, Estonia. Photo by Keith Ruffles (CC-BY 3.0 Unported).]]
 
This scenario considers a series of malicious cyber operations originating from one State’s territory and targeting private entities on the territory of another. In the course of investigation, and after failing to receive cooperation from the suspected offending State, the victim State opts to penetrate the networks of the suspected offending State without consent. The victim State thereafter discovers that the suspected offending State’s military personnel was involved in some of the malicious cyber operations. This scenario analyses the rules of State responsibility, including attribution and the degrees of responsibility of the State of origin, the international obligations that may have been breached, and the ability of the victim State to justify its response under the law of countermeasures.
 
This scenario considers a series of malicious cyber operations originating from one State’s territory and targeting private entities on the territory of another. In the course of investigation, and after failing to receive cooperation from the suspected offending State, the victim State opts to penetrate the networks of the suspected offending State without consent. The victim State thereafter discovers that the suspected offending State’s military personnel was involved in some of the malicious cyber operations. This scenario analyses the rules of State responsibility, including attribution and the degrees of responsibility of the State of origin, the international obligations that may have been breached, and the ability of the victim State to justify its response under the law of countermeasures.
Line 25: Line 24:
 
=== Examples ===
 
=== Examples ===
 
* [[Cyber attacks against Estonia (2007)]]
 
* [[Cyber attacks against Estonia (2007)]]
* [[Shamoon (2012)]]
 
 
* [[Sony Pictures Entertainment attack (2014)]]
 
* [[Sony Pictures Entertainment attack (2014)]]
 
* [[Springhill Medical Center ransomware attack (2019)]]
 
* [[Springhill Medical Center ransomware attack (2019)]]
 
<!--
 
<!--
  +
* [[Shamoon (2012)]]
 
* [[Operation Ababil (2012-2013)]]
 
* [[Operation Ababil (2012-2013)]]
 
* [[Sands Casino (2014)]]
 
* [[Sands Casino (2014)]]
Line 100: Line 99:
 
{{#lst:Sovereignty|Definition}}
 
{{#lst:Sovereignty|Definition}}
   
'''[L21]''' There are two possible views as regards State A’s decision to remotely access several computers in State B’s territory in search of evidence (incident 3). On the first view, given that the resulting operation consisted merely of non-invasive collection of information, it did not as such interfere with State B’s governmental functions. By contrast, the competing view is that because the operation was mounted in order to collect evidence for criminal proceedings without the consent of the territorial State, it therefore qualified as a non-consensual exercise of law enforcement functions in State A’s territory. As law enforcement is exclusively reserved to the territorial State under international law, on this view State B’s conduct would have violated State A’s sovereignty.<ref>Compare [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 18: “if one State conducts a law enforcement operation against a botnet in order to obtain evidence for criminal prosecution by taking over its command and control servers located in another State without that State’s consent, the former has violated the latter’s sovereignty because the operation usurps an inherently governmental function exclusively reserved to the territorial State under international law.</ref>
+
'''[L21]''' As State A decides to remotely access several computers in State B’s territory in search of evidence (incident 3), it is exercising its enforcement jurisdiction in State B’s territory.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 11, para 7.</ref> Absent State B’s consent or other justification, State A’s action is in violation of State B’s sovereignty (option 5 - usurpation of inherently governmental functions).<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 18.</ref>
   
'''[L22]''' State A might be able to justify its actions by invoking countermeasures, as detailed below.
+
'''[L22]''' State A might try to justify its actions by invoking countermeasures, as detailed below.
   
 
=== Countermeasures by State A ===
 
=== Countermeasures by State A ===
Line 121: Line 120:
   
 
== Checklist ==
 
== Checklist ==
* [[Attribution]]:
+
* Attribution:
 
** How much evidence exists tying the purported perpetrators of the incidents to State B?
 
** How much evidence exists tying the purported perpetrators of the incidents to State B?
 
** What should be the evidentiary standard for making the attribution?
 
** What should be the evidentiary standard for making the attribution?
Line 127: Line 126:
 
** Does it matter that the operation against State A was partly conducted by public officials of State A?
 
** Does it matter that the operation against State A was partly conducted by public officials of State A?
 
** Can the conduct of "State B Digital Army" be attributed to State B?
 
** Can the conduct of "State B Digital Army" be attributed to State B?
* [[Sovereignty]] of State A:
+
* Sovereignty of State A:
 
** When does a cyber operation against non-State actors violate the sovereignty of a State?
 
** When does a cyber operation against non-State actors violate the sovereignty of a State?
* [[Prohibition of intervention]]:
+
* Prohibition of intervention:
 
** Did State B's operation intrude into State A's domaine réservé?
 
** Did State B's operation intrude into State A's domaine réservé?
 
** Was State B's operation coercive?
 
** Was State B's operation coercive?
* [[Due diligence]]:
+
* Due diligence:
 
** Did the relevant cyber operation adversely affect the rights of State A?
 
** Did the relevant cyber operation adversely affect the rights of State A?
 
** Was the cyber operation conducted from or through the territory of State B?
 
** Was the cyber operation conducted from or through the territory of State B?
Line 139: Line 138:
 
** Did State B know or should it have known of the incident in question?
 
** Did State B know or should it have known of the incident in question?
 
** Did State B take all feasible measures to put an end to the malicious cyber activities?
 
** Did State B take all feasible measures to put an end to the malicious cyber activities?
* [[Sovereignty]] of State B:
+
* Sovereignty of State B:
 
** Can State A exercise its jurisdiction in State B's cyber infrastructure when trying to ascertain the attribution to State B?
 
** Can State A exercise its jurisdiction in State B's cyber infrastructure when trying to ascertain the attribution to State B?
* [[Countermeasures]] by State A:
+
* Countermeasures by State A:
 
** Does State A commit an internationally wrongful act by responding to an act whose wrongfulness has not been ascertained?
 
** Does State A commit an internationally wrongful act by responding to an act whose wrongfulness has not been ascertained?
   
Line 150: Line 149:
 
* [[Attribution]]
 
* [[Attribution]]
 
* [[Sovereignty]]
 
* [[Sovereignty]]
* [[Prohibition of intervention]]
 
 
* [[Due diligence]]
 
* [[Due diligence]]
 
* [[Countermeasures]]
 
* [[Countermeasures]]
* [[Scenario 14: Ransomware campaign]]
 
   
 
=== Notes and references ===
 
=== Notes and references ===
Line 170: Line 167:
 
*Peter Margulies, '[https://law.unimelb.edu.au/__data/assets/pdf_file/0006/1687488/05Margulies-Depaginated.pdf Sovereignty and Cyber Attacks: Technology's Challenge to the Law of State Responsibility]' (2013) 14 MJIL.
 
*Peter Margulies, '[https://law.unimelb.edu.au/__data/assets/pdf_file/0006/1687488/05Margulies-Depaginated.pdf Sovereignty and Cyber Attacks: Technology's Challenge to the Law of State Responsibility]' (2013) 14 MJIL.
 
*Tim Maurer and Michael Schmitt, ‘[https://www.justsecurity.org/44411/protecting-financial-data-cyberspace-precedent-progress-cyber-norms/ Protecting Financial Data in Cyberspace: Precedent for Further Progress on Cyber Norms?]’ ''Just Security,'' 14th August 2017.
 
*Tim Maurer and Michael Schmitt, ‘[https://www.justsecurity.org/44411/protecting-financial-data-cyberspace-precedent-progress-cyber-norms/ Protecting Financial Data in Cyberspace: Precedent for Further Progress on Cyber Norms?]’ ''Just Security,'' 14th August 2017.
* Tomohiro Mikanagi and Kubo Mačák, ‘Attribution of Cyber Operations: An International Law Perspective on the Park Jin Hyok case’ (2020) 9 Cambridge International Law Journal 51.
 
 
*Michael N Schmitt (ed), ''[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations]'' (CUP 2017).
 
*Michael N Schmitt (ed), ''[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations]'' (CUP 2017).
 
*Michael N Schmitt, '[https://heinonline.org/HOL/P?h=hein.journals/cjil19&i=36 Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law]' (2018) 19 ChiJIntlL 30.
 
*Michael N Schmitt, '[https://heinonline.org/HOL/P?h=hein.journals/cjil19&i=36 Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law]' (2018) 19 ChiJIntlL 30.
 
*Michael N Schmitt and Liis Vihul, ‘[https://texaslawreview.org/respect-sovereignty-cyberspace/ Respect for Sovereignty in Cyberspace]’ (2017) 95 Tex L Rev. 163.
 
*Michael N Schmitt and Liis Vihul, ‘[https://texaslawreview.org/respect-sovereignty-cyberspace/ Respect for Sovereignty in Cyberspace]’ (2017) 95 Tex L Rev. 163.
 
*Sean Watts & Theodore Richard, '[https://law.lclark.edu/live/files/26902-lcb223article3wattspdf Baseline Territorial Sovereignty and Cyberspace]' (2018) 22 Lewis & Clark L. Rev. 771.
 
*Sean Watts & Theodore Richard, '[https://law.lclark.edu/live/files/26902-lcb223article3wattspdf Baseline Territorial Sovereignty and Cyberspace]' (2018) 22 Lewis & Clark L. Rev. 771.
*Rüdiger Wolfrum, ‘Obligation of Result Versus Obligation of Conduct: Some Thoughts About the Implementation of International Obligations’ in Mahnoush H Arsanjani and others, ''Looking to the Future: Essays on International Law in Honor of Michael Reisman'' (Brill 2010).
+
*Rüdiger Wolfrum, ‘Obligation of Result Versus Obligation of Conduct: Some Thoughts About the Implementation of International Obligations’ in Mahnoush H Arsanjani et al, ''Looking to the Future: Essays on International Law in Honor of Michael Reisman'' (Brill 2010).
 
*Katja Ziegler, “[http://opil.ouplaw.com/view/10.1093/law:epil/9780199231690/law-9780199231690-e1398 Domaine Réservé]”, in Rudiger Wolfrum (ed), ''Max Planck Encyclopedia of Public International Law'' (OUP 2008).<br />
 
*Katja Ziegler, “[http://opil.ouplaw.com/view/10.1093/law:epil/9780199231690/law-9780199231690-e1398 Domaine Réservé]”, in Rudiger Wolfrum (ed), ''Max Planck Encyclopedia of Public International Law'' (OUP 2008).<br />
 
<!--
 
<!--

Please note that all contributions to International cyber law: interactive toolkit are considered to be released under the Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) (see International cyber law: interactive toolkit:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

Cancel Editing help (opens in new window)