Difference between revisions of "Scenario 03: Cyber operation against the power grid"

== Legal analysis ==
''For a general overview of the structure of analysis in this section, see [[Note on the structure of articles]].''
The analysis in this scenario focusses on the responsibility of State B for potential violations of international law as against State A. It assumes that the cyber operation against company X was attributable to State B. Given the facts of the scenario, this assumption is not particularly controversial. As noted, the technical investigation of the incident showed that the equipment used to compromise the grid had been installed by the intelligence service of State B. Pursuant to Article 4 of the ILC Articles on State Responsibility for Internationally Wrongful Acts, the conduct of any State organ, irrespective of its position within the State, its functions and its character as an organ within the central government or territorial unit, shall be considered an act of that State. Intelligence services undoubtedly form part of the executive power and their conduct is thus attributable to the relevant State under Article 4. Accordingly, the remainder of the analysis considers which specific rules of international law, if any, may have been breached by the operation in question.
Finally, even if the GGE did have the mandate and ability to identify relevant rules of custom, it most certainly did not do so with regard to operations against critical national infrastructure. It is manifest from the formulation cited above that the governmental experts did not consider any intentional cyber operation against critical national infrastructure to be internationally unlawful. Rather, they included the phrase “contrary to its obligations under international law”, confirming that on their view, such an operation would only violate international law if there is an ''additional'' obligation that would be breached by the operation in question.<ref>Cf. UN GGE 2015 report, para. 13(f).</ref>
In sum, the preferred view is that a standalone rule prohibiting cyber operations against critical national infrastructure has not emerged in international law thus far. As such, the incident in the scenario cannot be described as infringing this supposed obligation.
== Checklist ==