Difference between revisions of "Scenario 03: Cyber operation against the power grid"

no edit summary
(→‎Keywords: integrating comments DW)
=== Facts ===
Government-owned company X is responsible for the distribution of electricity across a large part of the territory of State A. Accordingly, its infrastructure has been designated as part of “critical national infrastructure” by the domestic law.
Delivery of computers procured as part of the modernisation of the [[Glossary|industrial control systems (ICS)]] used by company X is, unbeknownst to either of the contractual parties, compromised by attackers who succeed in installing concealed remote-control equipment in the computers in question. Once the computers are integrated in the ICS, the attackers are able to remotely monitor the activities in the technical control centre and to assume control over the infrastructure of company X without the staff knowing.
In the meantime, the relationship between States A and B, frail due to a shared history and a complicated ethnic composition of State A, whom State B periodically accuses of mistreating its large ethnic minority, significantly deteriorates. At one point, the distribution of power to tens of thousands of households in State A suddenly comes to a halt.
The scenario notes that the cyber operation against company X had caused significant inconvenience to many households in State A. The blackout must also have resulted in economic damage to company X and other actors on State A’s territory, likely including the State itself. However, there is no indication of actual physical damage having occurred or of any injury to individuals as a result of the operation. Therefore, the principal legal question is whether such forms of interference may be categorized as a use of force inconsistent with Article 2(4) of the UN Charter. As noted, the law is unsettled in this regard and a clear conclusion cannot be made at present.
In any event, the characterization of an incident of this nature as amounting to a use of force would be of limited consequence in the present scenario. This is because even if a particular act by a State qualifies as prohibited force, the victim State and its allies may only respond in self-defence if the said act is additionally of sufficient gravity to amount to an “armed attack”,<ref> [https://treaties.un.org/doc/publication/ctc/uncharter.pdf Charter of the United Nations] (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) Art 51. A minority view should be acknowledged here, according to which the right of self-defense potentially applies against any illegal use of force, irrespective of its qualification as an “armed attack”. See, eg, US DoD, ''[https://dod.defense.gov/Portals/1/Documents/pubs/DoD%20Law%20of%20War%20Manual%20-%20June%202015%20Updated%20Dec%202016.pdf?ver=2016-12-13-172036-190 Law of War Manual]'' (December 2016), para</ref> and even then, the permitted response is further limited by the conditions of necessity and proportionality.<ref> See, eg, ''[https://www.icj-cij.org/files/case-related/70/070-19860627-JUD-01-00-EN.pdf Military and Paramilitary Activities in and against Nicaragua] (Nicaragua v US)'' (Merits) [1986] ICJ Rep 14, para 194; ''[https://www.icj-cij.org/files/case-related/95/095-19960708-ADV-01-00-EN.pdf Legality of the Threat or Use of Nuclear Weapons Case]'' (Advisory Opinion) [1996] ICJ Rep 226, para 41; ''[https://www.icj-cij.org/files/case-related/90/090-20031106-JUD-01-00-EN.pdf Oil Platforms] (Iran v US)'' [2003] ICJ Rep 161, para 43.</ref> However, the lack of destructive effects in State A strongly militates against the qualification of the cyber operation by State B as an “armed attack” under international law.<ref> ''[https://www.icj-cij.org/files/case-related/70/070-19860627-JUD-01-00-EN.pdf Military and Paramilitary Activities in and against Nicaragua] (Nicaragua v US)'' (Merits) [1986] ICJ Rep 14, para 195 (holding that an operation must be characterized by sufficient “scale and effects” in order to qualify as an “armed attack”); but see [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 71, para 12 (noting that some experts held “the view that a cyber operation directed against a State’s critical infrastructure that causes severe, albeit not destructive, effects would qualify as an armed attack“).</ref>
Moreover, the fact that the source of the disruption was only identified ''after'' the disruptive effects had been addressed means that at that point, it could no longer be said that a use of force in self-defence by State A or by alliance O was necessary to repel an ongoing attack by State B.<ref> Cf G Nolte and A Randelzhofer, ‘Article 51’ in B Simma et al (eds), ''The Charter of the United Nations: A Commentary'' (3rd edn, OUP 2012) vol II, 1426–27, para 60 (noting that the use of force in self-defence is limited to ending the attack so that the specific impulse from which the attack emerged is no longer present).</ref> Of course, State A would still be entitled to call upon the UN Security Council to qualify the cyber operation as having amounted to a “breach of the peace” and to decide on measures under Chapter VII of the UN Charter.<ref>See [https://treaties.un.org/doc/publication/ctc/uncharter.pdf Charter of the United Nations] (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) Art 39.</ref>