Editing Scenario 08: Certificate authority hack

Jump to navigation Jump to search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
  +
[[File:Golden Bull of Sicily.jpg|425x425px|Golden Bull of Sicily|alt=|thumb]]
__NUMBEREDHEADINGS__
 
[[File:20121020200412!Basel 2012-10-06 Batch Part 5 (36).JPG|alt=|thumb|300x300px|Seal, Basel University. Photo by User:Mattes (CC-BY-SA 2.5).]]
 
 
The scenario analyses a cyber operation against a certificate authority that provides services to private and public entities, with indications that the operation was commissioned or exploited by a State. What are the relevant human rights obligations in cyberspace? What other international obligations may have been breached?
 
The scenario analyses a cyber operation against a certificate authority that provides services to private and public entities, with indications that the operation was commissioned or exploited by a State. What are the relevant human rights obligations in cyberspace? What other international obligations may have been breached?
   
Line 9: Line 8:
   
 
=== Facts ===
 
=== Facts ===
'''[F1]''' A company based in State A provides certificate authority services, including for government departments and agencies of State A. It has now been hacked by intruders, who assume control of the company’s certificate-issuing servers and, for several weeks, proceed to issue fraudulent certificates for private sector services, such as email or VoIP based telephony, but also for services related to the company register in State A (<b>incident 1</b>). Indicators of compromise (IoCs) point to the use of proxies (an unaffiliated group) in incident 1.
+
A company based in State A provides certificate authority services, including for government departments and agencies of State A. It has now been hacked by intruders, who assume control of the company’s certificate-issuing servers and, for several weeks, proceed to issue fraudulent certificates for private sector services, such as email or VoIP based telephony, but also for services related to the company register in State A. Indicators of compromise (IoCs) point to the use of proxies (an unaffiliated group) in incident 1, but eventually lead to State B’s intelligence service, which had ordered and paid the group to issue some of the fraudulent certificates in incident 2, including to the company register in State A (<b>incident 1</b>).
   
'''[F2]''' The fraudulent certificates are later used in a massive man-in-the-middle attack to intercept free email communication of several hundreds of thousands of individuals in State A (<b>incident 2</b>). Available evidence shows that State B’s intelligence service ordered and paid the above-mentioned group to issue some of the fraudulent certificates, including to the company register in State A. State B's intelligence service then used the certificates in conducting its mass surveillance operation.
+
The fraudulent certificates are later used in a massive man-in-the-middle attack to intercept free email communication of several hundreds of thousands of individuals in State A (<b>incident 2</b>). Available evidence shows that this mass surveillance operation was fully conducted by State B’s intelligence service.
   
'''[F3]''' Eventually, all of the certificates issued by the company are blacklisted by the major internet browsers, the attack is contained, and the company files for bankruptcy.
+
Eventually, all of the certificates issued by the company are blacklisted by the major internet browsers, the attack is contained, and the company files for bankruptcy.
   
'''[F4]''' State A and State B are State parties to the International Covenant on Civil and Political Rights (ICCPR).<ref>International Covenant on Civil and Political Rights (adopted 16 December 1966, entered into force 23 March 1976) 999 UNTS 171 ([https://www.ohchr.org/en/professionalinterest/pages/ccpr.aspx ICCPR]).</ref>
+
State A and State B are States parties to the International Covenant on Civil and Political Rights (ICCPR).<ref>International Covenant on Civil and Political Rights (adopted 16 December 1966, entered into force 23 March 1976) 999 UNTS 171 ([https://www.ohchr.org/en/professionalinterest/pages/ccpr.aspx ICCPR]).</ref>
   
 
=== Examples ===
 
=== Examples ===
Line 23: Line 22:
 
<i>For a general overview of the structure of analysis in this section, see [[Note on the structure of articles]].</i>
 
<i>For a general overview of the structure of analysis in this section, see [[Note on the structure of articles]].</i>
   
'''[L1]''' The legal analysis first briefly deals with the attribution of incidents 1 and 2 to State B, then continues with the breach of State B’s obligations to respect the sovereignty of other States, prohibition of intervention, and the obligations arising from international human rights law.
+
The legal analysis first briefly deals with the attribution of incidents 1 and 2 to State B, then continues with the breach of State B’s obligations to respect the sovereignty of other States, prohibition of intervention, and the obligations arising from international human rights law.
   
 
=== Attribution ===
 
=== Attribution ===
 
==== Non-State actors ====
 
==== Non-State actors ====
 
{{#lst:Attribution|Non-State actors}}
 
{{#lst:Attribution|Non-State actors}}
'''[L2]''' In the present scenario, it is crucial that State B ordered and paid the group to issue some of the fraudulent certificates in incident 1. The fact of accepting this order confirms the existence of a factually subordinate relationship at the relevant time, and thus the conduct of the non-State group is attributable to State B under the “instruction” standard of Article 8 of ILC’s Articles on State Responsibility.<ref>See Kubo Mačák, ‘[https://doi.org/10.1093/jcsl/krw014 Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors]’ (2016) 21 JCSL 405, 415 (“the non-State entity must be factually subordinate to the State at the moment when the State decides to commit the acts in question”).</ref>
+
In the present scenario, it is crucial that State B ordered and paid the group to issue some of the fraudulent certificates in incident 1. The fact of accepting this order confirms the existence of a factually subordinate relationship at the relevant time, and thus the conduct of the non-State group is attributable to State B under the “instruction” standard of Article 8 of ILC’s Articles on State Responsibility.<ref>See Kubo Mačák, ‘[https://doi.org/10.1093/jcsl/krw014 Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors]’ (2016) 21 JCSL 405, 415 (“the non-State entity must be factually subordinate to the State at the moment when the State decides to commit the acts in question”).</ref>
   
 
==== State organs ====
 
==== State organs ====
 
{{#lst:Attribution|State organs}}
 
{{#lst:Attribution|State organs}}
'''[L3]''' The intelligence service of State B is an organ of that State; therefore, its conduct is attributable to State B. In the present scenario, this covers the mass interception of emails in State A (incident 2).
+
The intelligence service of State B is an organ of that State; therefore, its conduct is attributable to State B. In the present scenario, this covers the mass interception of emails in State A (incident 2).
   
 
=== Breach of an international obligation ===
 
=== Breach of an international obligation ===
Line 38: Line 37:
 
==== Obligation to respect the sovereignty of other States ====
 
==== Obligation to respect the sovereignty of other States ====
 
{{#lst:Sovereignty|Definition}}
 
{{#lst:Sovereignty|Definition}}
'''[L4]''' There is no evidence that options 1 or 2 would be of relevance in this scenario.
+
There is no evidence that options 1 or 2 would be of relevance in this scenario.
   
'''[L5]''' With respect to option 3, the fact that the company’s certificates were blacklisted implies that the services using the certificates had to change to a different certificate authority. In the meantime, the trust in these services could not be guaranteed. Some websites using the blacklisted certificates would function, but browsers would issue security alerts, leading to economic losses for the respective businesses, as customers would be afraid to continue to their websites. Other services had lost functionality until they installed new certificates – especially online payment systems and mobile banking apps would stop working completely.
+
With respect to option 3, the fact that the company’s certificates were blacklisted implies that the services using the certificates had to change to a different certificate authority. In the meantime, the trust in these services could not be guaranteed. Some websites using the blacklisted certificates would function, but browsers would issue security alerts, leading to economic losses for the respective businesses, as customers would be afraid to continue to their websites. Other services had lost functionality until they installed new certificates – especially online payment systems and mobile banking apps would stop working completely.
   
'''[L6]''' The precise threshold of the loss of functionality is difficult to determine. If the loss is only temporary, does not lead to significant disruptions, and can be easily fixed, then it would likely not qualify.<ref>Compare T[https://doi.org/10.1017/9781316822524 allinn Manual 2.0], commentary to rule 4, para 14, wherein some of the experts were willing to characterise as a violation of sovereignty “causing a temporary, but significant, loss of functionality, as in the case of a major DDoS operation”.</ref> However, assuming that the threshold was reached, State B is responsible to the extent that it had ordered the non-State actor to issue some of the fraudulent certificates (incident 1).
+
The precise threshold of the loss of functionality is difficult to determine. If the loss is only temporary, does not lead to significant disruptions, and can be easily fixed, then it would likely not qualify.<ref>Compare T[https://doi.org/10.1017/9781316822524 allinn Manual 2.0], commentary to rule 4, para 14, wherein some of the experts were willing to characterise as a violation of sovereignty “causing a temporary, but significant, loss of functionality, as in the case of a major DDoS operation”.</ref> However, assuming that the threshold was reached, State B is responsible to the extent that it had ordered the non-State actor to issue some of the fraudulent certificates (incident 1).
   
'''[L7]''' As for option 4, some of the affected systems were providing secure access to State A’s company register. Running this register is State A’s inherently governmental function, and if the function could not be provided due to the interference by State B (incident 1), then State B’s conduct had amounted to a violation of State A’s sovereignty.
+
As for option 4, some of the affected systems were providing secure access to State A’s company register. Running this register is State A’s inherently governmental function, and if the function could not be provided due to the interference by State B (incident 1), then State B’s conduct had amounted to a violation of State A’s sovereignty.
   
'''[L8]''' The relevance of Option 5 depends on the legal qualification of the mass interception operation conducted by State B against individuals located in State A’s territory (incident 2). On one view, this is merely surveillance targeted against private persons which, as such, does not interfere with State A’s governmental functions. By contrast, another view is that if the operation in question was conducted in order to collect evidence for criminal proceedings without the consent of State A, then it qualified as a non-consensual exercise of law enforcement functions in State A’s territory. Because law enforcement is exclusively reserved to the territorial State under international law, on this view State B’s conduct would have violated State A’s sovereignty.<ref>Compare [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 18: “if one State conducts a law enforcement operation against a botnet in order to obtain evidence for criminal prosecution by taking over its command and control servers located in another State without that State’s consent, the former has violated the latter’s sovereignty because the operation usurps an inherently governmental function exclusively reserved to the territorial State under international law.”</ref>
+
Option 5, the usurpation of inherently governmental functions by State B, poses an interesting problem: was State B exercising its law enforcement functions in State A’s territory by the interception of emails of several hundred thousands of people in State A’s territory (incident 2)? If its intelligence service was collecting evidence for criminal proceedings abroad without the consent of State A, then it was exercising law enforcement functions and hence violating State A’s sovereignty;<ref>Compare [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 18: “if one State conducts a law enforcement operation against a botnet in order to obtain evidence for criminal prosecution by taking over its command and control servers located in another State without that State’s consent, the former has violated the latter’s sovereignty because the operation usurps an inherently governmental function exclusively reserved to the territorial State under international law.”</ref> if it was merely engaging in cyber espionage for national security purposes, then according to this option, it was not usurping inherently governmental functions of State A.<!-- We are unsure as to how incident 2 can be regarded as a usurpation of an inherently governmental function. The man in the middle attack is directed against individuals (not the state or one of its governmental functions) in order to intercept communications - this isn't enforcement jurisdiction, it is surveillance. -->
   
'''[L9]''' On the basis of the foregoing, it can be summarized that in the context of incident 1, State B violated the sovereignty of State A insofar the actions of the non-state actor can be attributed to State B. As for incident 2, the answer is unsettled in the present state of international law and depends primarily on the interpretation of the actual nature of State B’s conduct.
+
On the basis of the foregoing, it can be summarized that in the context of incident 1, State B violated the sovereignty of State A insofar the actions of the non-state actor can be attributed to State B.<!-- In light of our previous comment, this sentence needs revising. It is our view that violations of state sovereignty do not turn on the intention or goal of the offending state. -->
   
 
==== Prohibition of intervention ====
 
==== Prohibition of intervention ====
 
{{#lst:Prohibition of intervention|Definition}}
 
{{#lst:Prohibition of intervention|Definition}}
'''[L10]''' In incident 1, State B interfered with the internal affairs of State A by having a non-State actor issue fraudulent certificates, thereby undermining the security of online government services. However, proving the coercive nature of the act can be difficult. It depends on the ultimate goal of State B, and whether the act can be causally linked to the goal. If State B merely wanted to cause nuisance and economic loss to State A without any particular goal, the act does not qualify as prohibited intervention (even though it does qualify as a violation of sovereignty: see above).
+
In incident 1, State B interfered with the internal affairs of State A by having a non-State actor issue fraudulent certificates, thereby undermining the security of online government services. <!-- We find this discussion troubling. Intervention is defined through the prism of sovereignty, that is, acts amount to unlawful intervention when they coerce a state in relation to a matter that falls within the protected confines of its DR. So, the critical issues is not about the goal or intention of the offending state, but bout the impact of its conduct upon the victim state. -->
   
  +
I<!-- See previous comment. -->
'''[L11]''' In incident 2, the analysis again depends on the goal of State B. If State B wanted to engage in cyber espionage against the Internet users in State A’s territory, or even if it wanted to conduct law enforcement activities in State A’s territory, without any intent to influence State A’s decisions on its internal or external affairs, the prohibition of intervention would not have been breached.
 
   
 
==== Obligations arising from international human rights law ====
 
==== Obligations arising from international human rights law ====
 
{{#lst:International human rights law|Definition}}
 
{{#lst:International human rights law|Definition}}
'''[L12]''' (1) Does the obligation of State B to respect the right to privacy pursuant to Article 17 ICCPR apply to its cyber operations against individuals in State A? The owners and presumably also the content of the intercepted email accounts were located in State A. State B, whose State organ commissioned the preparation of the interception and then executed it itself, would be obligated to respect the human rights of those natural persons if they were under its jurisdiction or control.
+
(1) Does the obligation of State B to respect the right to privacy pursuant to Article 17 ICCPR apply to its cyber operations against individuals in State A? The owners and presumably also the content of the intercepted email accounts were located in State A. State B, whose State organ commissioned the preparation of the interception and then executed it itself, would be obligated to respect the human rights of those persons if they were under its jurisdiction or control.
   
'''[L13]''' According to one line of thought, if an organ of State B can, in the exercise of its jurisdiction, secretly interfere with the human rights of individuals anywhere in the world without the knowledge of the territorial State (in this case, State A), then it is logically the acting State (here, State B), which must ensure that its conduct is in accordance with the requirements of the ICCPR.<ref>Marko Milanovic, ‘[http://www.harvardilj.org/wp-content/uploads/561Milanovic.pdf Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age]’ (2015) 56/1 HarvIntlLJ , pages 118-119</ref><!-- 1. Is mere interception of communications 'interference'? The US holds that the mere collection of information is not interference with privacy until it has been 'read'. Indeed, even if information is read by algorithms, the US holds that this isn't interference. See post-Snowden statement by NSA director. 2. Is it only metadata intercepted or also content data? US says metadata isn't protected by the right to privacy. But this is patently wrong - see various case law from ECtHR (Malone) and HRC. KM: THIS IS MISPLACED HERE - THE CONCEPT OF INTERFERENCE IS ADDRESSED IN L15 BELOW. -->
+
According to one line of thought, if an organ of State B can, in the exercise of its jurisdiction, secretly interfere with the human rights of individuals anywhere in the world without the knowledge of the territorial State (in this case, State A), then it is logically State B which must make sure that this interference is conducted in accordance with the requirements of the ICCPR.<ref>Marko Milanovic, ‘[http://www.harvardilj.org/wp-content/uploads/561Milanovic.pdf Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age]’ (2015) 56/1 HarvIntlLJ , pages 118-119</ref>
   
'''[L14]''' By contrast, the counterargument is that extraterritorial measures—such as interception of communications abroad—which do not involve an exercise of physical control over a person or a location fall outside of the jurisdiction and control of the acting State for the purposes of IHRL.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 34, para 9 (noting the majority view that “physical control over territory or the individual is required before human rights law obligations are triggered”).</ref> On this view, State B could therefore not be held responsible for violating human rights of the individuals concerned.<!-- This discussion of jurisdiction needs developing. Jurisdiction in cyberspace is complicated and there are various approaches depending upon whose views are being consulted - states (US, for example), UNGA, Sp Rapp on Right to Privacy, HRC General Comment, Inter-American Commission. KM: TEXT HAS BEEN REWRITTEN ACCORDINGLY; FURTHER REFERENCES TO POSSIBLE VIEWS ARE IN FOOTNOTES -->
+
The counterargument is that there is a lack of consensus whether interfering with cyber infrastructure abroad can amount to exerting effective control.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 36, para 6.</ref> In the present state of the law, State B therefore cannot be held responsible for violating human rights of the individuals concerned.
   
'''[L15]''' (2) Assuming that the ICCPR applies, a surreptitious interception of emails between individuals is an interference with their right to privacy pursuant to Article 17 ICCPR (specifically, interference with their correspondence).<ref>See, eg, ''[http://hudoc.echr.coe.int/eng?i=001-186048 Case of Big Brother Watch and Others v United Kingdom]'' app no. 58170/13, 62322/14 and 24960/15 (ECtHR 13th September 2018) [303] (the notion of “interference” includes “the interception of the content of communications [and] the interception or obtaining of communications data”).</ref> Depending on the goal of State B, the interception might also implicate Article 19 ICCPR (right to freedom of expression).
+
(2) Assuming that the ICCPR applies, a surreptitious interception of emails between individuals is an interference with their right to privacy pursuant to Article 17 ICCPR (specifically, interference with their correspondence). Depending on the goal of State B, the interception might also implicate Article 19 ICCPR (right to freedom of expression).
   
'''[L16]''' (3) The scenario does not contain any information about State B’s domestic law. If there is a domestic law regulating extraterritorial surveillance or criminal investigation, which is compliant with the requirements of the international obligation (legality, legitimacy of the objective, necessity to achieve the goal, and proportionality), and the email interception is done in accordance with that law, then State B’s activity would be in accordance with the ICCPR.
+
(3) The scenario does not contain any information about State B’s domestic law. If there is a domestic law regulating extraterritorial surveillance or criminal investigation, which is compliant with the requirements of the international obligation (legality, legitimacy of the objective, necessity to achieve the goal, and proportionality), and the email interception is done in accordance with that law, then State B’s activity would be in accordance with the ICCPR.
   
'''[L17]''' With regard to the number of affected individuals (“several hundreds of thousands”), it should be noted that the Court of Justice of the European Union (CJEU) ruled that it would be extremely difficult for bulk online surveillance to be compatible with the EUCFR;<ref>CJEU, the judgments in [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0293 C-293/12 ''Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources, Minister for Justice, Equality and Law Reform''] [2014] (ECLI:EU:C:2014:238); [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0293 C‑203/15 ''Tele2 Sverige AB v Post- och Telestyrelsen''] [2016] (ECLI:EU:C:2016:970).</ref> however, as of October 2018, the case-law of the ECtHR seems to be developing in a less strict direction.<ref>ECtHR, the Chamber judgments in ''[http://hudoc.echr.coe.int/eng?i=001-183863 Centrum för Rättvisa v Sweden]'' app no. 35252/08 (ECtHR 19th June 2018); ''[http://hudoc.echr.coe.int/eng?i=001-186048 Case of Big Brother Watch and Others v United Kingdom]'' app no. 58170/13, 62322/14 and 24960/15 (ECtHR 13th September 2018).</ref> Although these rulings do not directly apply to States not members of the relevant treaty regimes, they may nonetheless carry persuasive value for the further development of the law in this area.
+
With regard to the number of affected individuals (“several hundreds of thousands”), it should be noted that the Court of Justice of the European Union (CJEU) ruled any bulk online surveillance as incompatible with the EUCFR;<ref>CJEU, the judgments in [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0293 C-293/12 ''Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources, Minister for Justice, Equality and Law Reform''] [2014] (ECLI:EU:C:2014:238); [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0293 C‑203/15 ''Tele2 Sverige AB v Post- och Telestyrelsen''] [2016] (ECLI:EU:C:2016:970)
   
  +
.</ref> however, as of October 2018, the case-law of the ECtHR seems to be developing in a less strict direction.<ref>ECtHR, the Chamber judgments in ''[http://hudoc.echr.coe.int/eng?i=001-183863 Centrum för Rättvisa v Sweden]'' app no. 35252/08 (ECtHR 19th June 2018); ''[http://hudoc.echr.coe.int/eng?i=001-186048 Case of Big Brother Watch and Others v United Kingdom]'' app no. 58170/13, 62322/14 and 24960/15 (ECtHR 13th September 2018)
'''[L18]''' To sum up the three steps of the test, it cannot be concluded that the interception of emails by itself amounts to a violation of international human rights law. Although such conduct would most certainly interfere with several human rights of the affected individuals, its compatibility with IHRL would fall to be determined by the justification proffered by the acting State.
 
   
  +
.</ref> Although these rulings do not directly apply to States not members of the relevant international organizations, they may nonetheless carry persuasive value for the further development of the law in this area.
'''[L19]''' The positive obligation of State A (to take all reasonable measures to protect the human rights of persons in its territory who have been targeted by State B's operation) encompasses protecting the persons from further abuse of their rights, taking appropriate measures against the perpetrators of the abuse, but also measures to prevent an abuse if there are grounds to believe that such abuse will occur. In the situation at hand, the obligation would likely include the duty of State A to rapidly investigate incident 1 and to prevent or reduce the impact of incident 2 by immediately informing the international cyber security community about the fraudulent certificates.
 
  +
 
To sum up the three steps of the test, it cannot be concluded that the interception of emails by itself amounts to a violation of international human rights law. Although such conduct would most certainly interfere with several human rights of the affected individuals, its compatibility with IHRL would fall to be determined by the justification proffered by the acting State.
   
 
== Checklist ==
 
== Checklist ==
 
* Attribution: Did State B provide instructions or exercise direction or control over the non-State actor?
* [[Attribution]]:
 
 
* Attribution: Is an intelligence agency a State organ of State B?
** Did State B provide instructions or exercise direction or control over the non-State actor?
 
  +
* Sovereignty: Did State B’s operation cause a loss of functionality of another State’s cyber infrastructure?
** Is an intelligence agency a State organ of State B?
 
  +
* Sovereignty: Did State B usurp State A’s inherently governmental functions by its cyber operation in State A’s territory?
* [[Sovereignty]]:
 
** Did State B’s operation cause a loss of functionality of another State’s cyber infrastructure?
+
* Prohibited intervention: Did State B try to coerce State A by its cyber operation?
** Did State B usurp State A’s inherently governmental functions by its cyber operation in State A’s territory?
+
* International human rights law: Does the ICCPR apply to State B’s cyber operation abroad?
 
* International human rights law: Which human rights are implicated by State B’s cyber operation?
* [[Prohibition of intervention]]:
 
 
* International human rights law: Is State B’s cyber operation justified from the perspective of international human rights law?
** Did State B try to coerce State A by its cyber operation?
 
* [[International human rights law]]:
 
** Does the ICCPR apply to State B’s cyber operation abroad?
 
** Which human rights are implicated by State B’s cyber operation?
 
** Is State B’s cyber operation justified from the perspective of international human rights law?
 
   
 
== Appendixes ==
 
== Appendixes ==
Line 110: Line 107:
 
*Michael N Schmitt and Liis Vihul, ‘[https://texaslawreview.org/respect-sovereignty-cyberspace/ Respect for Sovereignty in Cyberspace]’ (2017) 95 Tex L Rev. 1639.
 
*Michael N Schmitt and Liis Vihul, ‘[https://texaslawreview.org/respect-sovereignty-cyberspace/ Respect for Sovereignty in Cyberspace]’ (2017) 95 Tex L Rev. 1639.
 
*Sean Watts & Theodore Richard, '[https://law.lclark.edu/live/files/26902-lcb223article3wattspdf Baseline Territorial Sovereignty and Cyberspace]' (2018) 22 Lewis & Clark L. Rev. 771.
 
*Sean Watts & Theodore Richard, '[https://law.lclark.edu/live/files/26902-lcb223article3wattspdf Baseline Territorial Sovereignty and Cyberspace]' (2018) 22 Lewis & Clark L. Rev. 771.
*Katja Ziegler, “[http://opil.ouplaw.com/view/10.1093/law:epil/9780199231690/law-9780199231690-e1398 Domaine Réservé]”, in Rudiger Wolfrum (ed), ''Max Planck Encyclopedia of Public International Law'' (OUP 2008).
+
*Katja Ziegler, “[http://opil.ouplaw.com/view/10.1093/law:epil/9780199231690/law-9780199231690-e1398 Domaine Réservé]”, in Rudiger Wolfrum (ed), ''Max Planck Encyclopedia of Public International Law'' (OUP 2008). <br />
  +
<!--
  +
* MN Schmitt (ed), ''Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations'' (CUP 2017)
  +
* Etc.
  +
-->
   
 
=== Contributions ===
 
=== Contributions ===
* Scenario by: [[People#Editorial_board|Taťána Jančárková]] & [[People#Editorial_board|Tomáš Minárik]]
+
* Scenario by: [[People|Taťána Jančárková]] & [[People|Tomáš Minárik]]
* Analysis by: [[People#Editorial_board|Tomáš Minárik]]
+
* Analysis by: [[People|Tomáš Minárik]]
  +
* Reviewed by: [[Peer reviewers|Reviewer793]]
* Reviewed by: [[People#Peer_reviewers|Russell Buchan]]; [[People#Peer_reviewers|Jakub Harašta]]; [[People#Peer_reviewers|Tomáš Morochovič]]
 
   
 
{| class="wikitable"
 
{| class="wikitable"

Please note that all contributions to International cyber law: interactive toolkit are considered to be released under the Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) (see International cyber law: interactive toolkit:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

Cancel Editing help (opens in new window)