Main Page: Difference between revisions
Jump to navigation
Jump to search
Content added Content deleted
mNo edit summary |
No edit summary |
||
| (36 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
<div class="res-img no-pointer-events"><!-- |
<div class="res-img no-pointer-events">[[File:MainBanner.jpg]]<!-- CfP BANNER: [[File:MainBannerCall2024.jpg]]--></div> |
||
__NOTOC__ |
__NOTOC__ |
||
<!--__NONUMBEREDHEADINGS__--> |
<!--__NONUMBEREDHEADINGS__--> |
||
| Line 15: | Line 15: | ||
| id="mp-left" class="MainPageBG" style="width:50%; border:1px solid #bbceed; padding:0; background:#ffffff; vertical-align:top; color:#000;" | |
| id="mp-left" class="MainPageBG" style="width:50%; border:1px solid #bbceed; padding:0; background:#ffffff; vertical-align:top; color:#000;" | |
||
<h2 id="mp-tfa-h2" style="margin:0.5em; background:#bbceed; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; color:#000; padding:0.2em 0.4em;">About the project</h2> |
<h2 id="mp-tfa-h2" style="margin:0.5em; background:#bbceed; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; color:#000; padding:0.2em 0.4em;">About the project</h2> |
||
<div id="mp-tfa" style="padding:0.1em 0.6em;">The '''Cyber Law Toolkit''' is a dynamic interactive web-based resource for legal professionals who work with matters at the intersection of international law and [[Glossary#C|cyber operations]]. The Toolkit may be explored and utilized in a number of different ways. At its core, it presently consists of |
<div id="mp-tfa" style="padding:0.1em 0.6em;">The '''Cyber Law Toolkit''' is a dynamic interactive web-based resource for legal professionals who work with matters at the intersection of international law and [[Glossary#C|cyber operations]]. The Toolkit may be explored and utilized in a number of different ways. At its core, it presently consists of 28 hypothetical [[:Category:Scenario|scenarios]]. Each scenario contains a description of cyber incidents inspired by real-world examples, accompanied by detailed legal analysis. The aim of the analysis is to examine the applicability of international law to the scenarios and the issues they raise. You can see all scenarios in the box immediately below – just click on any of them to follow the relevant analysis. In addition, you may want to explore the Toolkit by looking for [[keywords]] you’re interested in; by viewing its overall [[List of articles|article structure]]; by browsing through the [[:Category:National position|national positions]] on international law in cyberspace; or by reading about individual [[List_of_articles#Real-world_examples|real-world examples]] that serve as the basis of the Toolkit scenarios. Finally, you may want to use the search function in the top right corner of this page to look for specific words across all of the Toolkit content.</div> |
||
<h2 id="mp-dyk-h2" style="clear:both; margin:0.5em; background:#bbceed; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; color:#000; padding:0.2em 0.4em;">Cyber law scenarios</h2> |
<h2 id="mp-dyk-h2" style="clear:both; margin:0.5em; background:#bbceed; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; color:#000; padding:0.2em 0.4em;">Cyber law scenarios</h2> |
||
<div id="mp-dyk" style="padding:0.1em 0.6em 0.5em;"> |
<div id="mp-dyk" style="padding:0.1em 0.6em 0.5em;"> |
||
| Line 50: | Line 50: | ||
|- |
|- |
||
|[[File:Scn25.JPG|center|120px|link=Scenario 25: Cyber disruption of humanitarian assistance]][[Scenario 25: Cyber disruption of humanitarian assistance|S25<br>Humanitarian<br>assistance]] |
|[[File:Scn25.JPG|center|120px|link=Scenario 25: Cyber disruption of humanitarian assistance]][[Scenario 25: Cyber disruption of humanitarian assistance|S25<br>Humanitarian<br>assistance]] |
||
|[[File:Cyber-security-g97a081f15 1920.jpg|center|120px|link=Scenario 26: Export licensing of intrusion tools]][[Scenario 26: Export licensing of intrusion tools|S26<br>Export<br>licensing]] |
|||
| |
|||
|[[File:Scn27.jpg|center|120px|link=Scenario 27: Contesting and redirecting ongoing attacks]][[Scenario 27: Contesting and redirecting ongoing attacks|S27<br>Redirecting<br>attacks]] |
|||
| |
|||
|[[File:Scn28.jpg|center|120px|link=Scenario 28: Extraterritorial incidental civilian cyber harm]][[Scenario 28: Extraterritorial incidental civilian cyber harm|S28<br>Incidental<br>harm]] |
|||
| |
|||
|} |
|} |
||
</div> |
</div> |
||
| Line 59: | Line 59: | ||
| id="mp-right" class="MainPageBG" style="width:50%; border:1px solid #bbceed; padding:0; background:#ffffff; vertical-align:top;"| |
| id="mp-right" class="MainPageBG" style="width:50%; border:1px solid #bbceed; padding:0; background:#ffffff; vertical-align:top;"| |
||
<h2 id="mp-itn-h2" style="margin:0.5em; background:#bbceed; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; color:#000; padding:0.2em 0.4em;">Featured incident</h2> |
<h2 id="mp-itn-h2" style="margin:0.5em; background:#bbceed; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; color:#000; padding:0.2em 0.4em;">Featured incident</h2> |
||
<choose |
<choose> |
||
<option> |
<option> |
||
<!-- INCIDENT 9--> |
|||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Unemblem.gif|left|150px]] |
|||
On 29 January 2020, ''The New Humanitarian'' [https://www.thenewhumanitarian.org/investigation/2020/01/29/united-nations-cyber-attack?utm_source=The+New+Humanitarian&utm_campaign=c8dddbbc45-EMAIL_CAMPAIGN_2020_01_29&utm_medium=email&utm_term=0_d842d98289-c8dddbbc45-75573037 reported] that dozens of servers were “compromised” at the United Nations offices in Geneva and Vienna. The attack dated back to July 2019 and affected staff records, health insurance, and commercial contract data. According to an unnamed UN official cited in an Associated Press [https://apnews.com/0d958e15d7f5081dd612f07482f48b73 report] on the same day, the level of sophistication was so high that it was possible a State-backed actor might have been behind it. Within the Toolkit, [[Scenario 04: A State’s failure to assist an international organization|Scenario 04]] specifically considers a hypothetical situation in which an international organization falls victim to cyber attacks, the impact of which could and should have been averted by the host State.</div> |
|||
</option> |
|||
<option> |
|||
<!-- INCIDENT 10--> |
|||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:EUCouncil.png|left|150px]] |
|||
On 30 July 2020, the Council of the European Union [https://www.consilium.europa.eu/en/press/press-releases/2020/07/30/eu-imposes-the-first-ever-sanctions-against-cyber-attacks/ decided] to impose restrictive measures against six individuals and three entities considered to be responsible for or involved in various hostile cyber operations. These included the [[Attempted hack of the OPCW (2018)|attempted hack of the Organization for the Prohibition of Chemical Weapons (OPCW)]] and the [[WannaCry (2017)|WannaCry]] and [[NotPetya (2017)|NotPetya]] incidents. The sanctions imposed included a travel ban and an asset freeze. In addition, EU persons and entities were prohibited from making funds available to those listed. This was the first time the EU has imposed restrictive measures of this kind. Within the Toolkit, [[Scenario 04: A State’s failure to assist an international organization|Scenario 04]] specifically considers a hypothetical situation in which an international organization falls victim to cyber attacks, and [[Scenario 17: Collective responses to cyber operations|Scenario 17]] discusses the legality of targeted restrictive measures of this kind from the perspective of international law.</div> |
|||
</option> |
|||
<option> |
|||
<!-- INCIDENT 11--> |
|||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Brno_(znak).svg|left|150px]] |
|||
On 13 March 2020, Brno University Hospital, the second-largest hospital in the Czech Republic, at the time also providing COVID-19 testing capacities, was [[Brno University Hospital ransomware attack (2020)|targeted by ransomware]]. The hospital was forced to shut down its entire IT network, postpone urgent surgical interventions, and reroute patients to other nearby hospitals. It took several weeks before the hospital was fully operational again. [[Scenario 14: Ransomware campaign|Scenario 14]] in the Toolkit provides the legal analysis of a ransomware campaign against municipal and health care services abroad; [[Scenario 20: Cyber operations against medical facilities|Scenario 20]] and [[Scenario 23: Vaccine research and testing|Scenario 23]] both focus on various cyber operations against hospitals.</div> |
|||
</option> |
|||
<option weight="2"> |
|||
<!-- INCIDENT 12--> |
|||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Microsoft_Exchange_(2019-present).svg|left|150px]] |
|||
On 2 March 2021, Microsoft issued a [https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ statement] about multiple zero-day exploits in its Exchange Server email software and urged customers to update their systems using a patch released at the same time. Nevertheless, malicious cyber activities escalated, resulting in more than [https://edition.cnn.com/2021/03/10/tech/microsoft-exchange-hafnium-hack-explainer/index.html 250,000 affected customers globally] (including governments as well as the private sector) and involving at least [https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/?utm_source=Twitter&utm_medium=cpc&utm_campaign=WLS_apt_groups&utm_term=WLS_apt_groups&utm_content=blog 10 APT groups]. The original campaign was [https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ attributed] by Microsoft to ‘Hafnium’, described as a State-sponsored group operating out of China. The hackers used the exploits to gain access to victim organisations’ email systems and to install malware allowing them to maintain long-term access to files, inboxes, and stored credentials. [[Scenario 02: Cyber espionage against government departments|Scenario 02]] of the Toolkit analyses cyber espionage against government departments; economic cyber espionage is discussed in [[Scenario 09: Economic cyber espionage|Scenario 09]].</div> |
|||
</option> |
|||
<option weight="2"> |
|||
<!-- INCIDENT 13--> |
|||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Solarwinds.svg|left|150px]] |
|||
On 13 December 2020, FireEye [https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html announced] the discovery of an ongoing supply chain attack that trojanized SolarWinds Orion business software updates in order to distribute malware. The [https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12?r=US&IR=T victims] included many U.S. governmental organisations (such as the Department of Homeland Security, the Department of Energy, or the Treasury) and businesses (including Microsoft, Cisco, or Deloitte). Once the systems were infected, hackers could transfer files, execute files, profile the system, reboot the machines, or disable system services. The U.S. government has [https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure attributed] the attack to an ‘Advanced Persistent Threat Actor, likely Russian in origin’. Even though the campaign’s full scope remains unknown, recovering from the hack and conducting investigations may take up to [https://www.technologyreview.com/2021/03/02/1020166/solarwinds-brandon-wales-hack-recovery-18-months/ 18 months]. In the Toolkit, data theft and cyber espionage against government departments are analysed in [[Scenario 02: Cyber espionage against government departments|Scenario 02]]. Given that private sector organizations were among the victims, [[Scenario 09: Economic cyber espionage|Scenario 09]] on economic cyber espionage is also relevant.</div> |
|||
</option> |
|||
<option weight="2"> |
|||
<!-- INCIDENT 14--> |
<!-- INCIDENT 14--> |
||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Colonial Pipeline.png|left|150px]] |
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Colonial Pipeline.png|left|150px]] |
||
| Line 95: | Line 71: | ||
</div> |
</div> |
||
</option> |
</option> |
||
<option weight="2"> |
<option weight="2"> |
||
<!-- INCIDENT 24--> |
|||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Sellafield.png|left|150px]] |
|||
On 4 December 2023, ''The Guardian'' [https://www.theguardian.com/business/2023/dec/04/sellafield-nuclear-site-hacked-groups-russia-china reported] that the Sellafield nuclear site in the United Kingdom was hacked by groups allegedly linked to Russia and China. The breach, first detected in 2015, reportedly involved sleeper malware that may have compromised sensitive operations like radioactive waste handling. Sellafield, crucial for nuclear waste management and housing critical emergency planning documents, was placed under [https://www.onr.org.uk/documents/2023/cni-annual-report-2023.pdf special measures] by the UK Office for Nuclear Regulation. The breach raised significant national security concerns, given the [https://www.ncsc.gov.uk/news/heightened-threat-of-state-aligned-groups rising threats] of cyber-attacks against critical national infrastructure. In the Toolkit, [[Scenario 03: Cyber operation against the power grid|scenario 03]] and [[Scenario 06: Cyber countermeasures against an enabling State|scenario 06]] analyse cyber operations against the critical infrastructure of other States from the perspective of international law. |
|||
</div> |
|||
</option> |
|||
<option> |
|||
<!-- INCIDENT 15--> |
<!-- INCIDENT 15--> |
||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:HSE-logo-updated.jpg|left|150px]] |
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:HSE-logo-updated.jpg|left|150px]] |
||
| Line 103: | Line 87: | ||
</div> |
</div> |
||
</option> |
</option> |
||
<option> |
|||
<!-- INCIDENT 17--> |
|||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:HackedForeignMinistry.png|left|150px]] |
|||
On Friday 14 January 2022, approximately 70 Ukrainian government websites were targeted by a large-scale defacement campaign. At a time when tensions between Russia and Ukraine were escalating, the altered text on some of the websites [https://www.nytimes.com/2022/01/14/world/europe/hackers-ukraine-government-sites.html warned] Ukrainians to “be afraid and wait for the worst”. Although most websites were restored within a few hours, the Ukrainian authorities [https://www.reuters.com/world/europe/exclusive-ukraine-suspects-group-linked-belarus-intelligence-over-cyberattack-2022-01-15/ worried] that the operations may have been just a cover for more destructive actions. The identity of the entity responsible for the operations remains unknown (see more [[Pre-invasion cyber operations against government systems in Ukraine (2022)|here]]). Certain aspects, including the use of erroneous Polish, led to [https://www.reuters.com/world/europe/exclusive-ukraine-suspects-group-linked-belarus-intelligence-over-cyberattack-2022-01-15/ suggestions] that the attackers may have been trying to create false traces to impede attribution efforts. In the Toolkit, [[Scenario 15: Cyber deception during armed conflict|Scenario 15]] analyses cyber deception during armed conflicts and [[Scenario 21: Misattribution caused by deception|Scenario 21]] explores the issue of misattribution caused by cyber deception in peacetime. |
|||
</div> |
|||
</option> |
|||
<option> |
|||
<!-- INCIDENT 18--> |
|||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:UN emblem blue.svg|left|150px]] |
|||
On 9 September 2021, Bloomberg [https://www.bloomberg.com/news/articles/2021-09-09/united-nations-computers-breached-by-hackers-earlier-this-year reported] that the United Nations’ computer networks had been breached as of April that year. The cyber operation was first alerted to the UN by a cybersecurity company and later [https://www.un.org/sg/en/content/sg/note-correspondents/2021-09-09/note-correspondents-response-questions-about-reported-cyberattack confirmed] by the UN Secretary General’s spokesperson who said that corrective actions were being implemented to mitigate the impact. Although there was no reported damage to the UN systems, [https://www.washingtonpost.com/business/2021/09/09/united-nations-hackers/ analysts] suggested that some of the exfiltrated data could be used to support future attacks against the UN or its agencies. Within the Toolkit, a similar operational methodology is addressed in [[Scenario 02: Cyber espionage against government departments |Scenario 02]], while [[Scenario 04: A State’s failure to assist an international organization|Scenario 04]], specifically analyzes a hypothetical situation in which an international organization falls victim to cyber-attacks, and [[Scenario 12: Cyber operations against computer data|Scenario 12]] considers cyber operations against computer data. |
|||
</div> |
|||
</option> |
|||
<option> |
|||
<!-- INCIDENT 19--> |
|||
<div id="mp-itn" style="padding:0.1em 0.6em;"> [[File:WaikatoHospital.jpg|left|150px]] |
|||
On 18 May 2021, the computer information systems of five hospitals from the Waikato District Health Board in New Zealand were targeted by an unidentified group who [https://www.nzherald.co.nz/nz/waikato-dhb-cyber-attack-group-claims-responsibility-says-it-has-confidential-patient-details/OV6DORGTXIU474ANBCZH7NXZOY/ claimed responsibility] for the ransomware attack. The operation brought down more than 600 servers, hindering access to patient information and communications through the hospital’s lines, impeding the payment of wages and affecting laboratory and radiological services, which took several weeks to restore. The perpetrators accessed patient and staff confidential information and financial data and later [https://www.rnz.co.nz/news/ldr/455535/waikato-dhb-warned-a-cyberattack-catastrophic-for-patient-safety leaked it on the dark web], affecting more than 4,200 people. In the Toolkit, [[Scenario 14: Ransomware campaign|Scenario 14]] addresses the issue of ransomware campaigns launched by non-State groups, and the situation of cyber operations against medical facilities is specifically considered in [[Scenario 20: Cyber operations against medical facilities|Scenario 20]]. |
|||
</div> |
|||
</option> |
|||
<option weight="2"> |
<option weight="2"> |
||
<!-- INCIDENT |
<!-- INCIDENT 20--> |
||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File: |
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:VIASAT official png.png|left|150px]] |
||
On 24 February 2022, a specific partition of modems from Viasat’s KASAT satellite network was targeted by a [https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ wiper malware] rendering thousands of broadband modems permanently inoperable in Ukraine – including those used by military and other governmental agencies – and other users across Europe, resulting in a major loss of internet communication (see more [[Viasat KA-SAT attack (2022)|here]]). The attack’s alleged [https://www.reuters.com/business/energy/satellite-outage-knocks-out-control-enercon-wind-turbines-2022-02-28/ spillover] included the outage of the remote monitoring and control of 5,800 wind turbines in Germany. The attack has been attributed by the [https://www.state.gov/attribution-of-russias-malicious-cyber-activity-against-ukraine/ US], the [https://www.gov.uk/government/news/russia-behind-cyber-attack-with-europe-wide-impact-an-hour-before-ukraine-invasion UK], and the [https://www.consilium.europa.eu/en/press/press-releases/2022/05/10/russian-cyber-operations-against-ukraine-declaration-by-the-high-representative-on-behalf-of-the-european-union/ Council of the EU], to Russia, amid the intensification of the conflict in Ukraine. [https://www.reuters.com/world/europe/russia-behind-cyberattack-against-satellite-internet-modems-ukraine-eu-2022-05-10/ Russia] has repeatedly denied that it carries out offensive cyber operations. In the Toolkit, [[Scenario 03: Cyber operation against the power grid|Scenario 03]] addresses the impact of cyber operations on critical infrastructure, [[Scenario 10: Cyber weapons review|Scenario 10 ]] and [[Scenario 22: Cyber methods of warfare|Scenario 22]] consider issues related to cyber means and methods of warfare, and [[Scenario 24: Internet blockage|Scenario 24]] analyses a hypothetical situation of massive internet outage. |
|||
The first sign of an [[African Union headquarters hack (2020)|malicious cyber activity targeting the headquarters of the African Union in Addis Ababa]] was spotted in January 2020. The suspected actor is the "Bronze President", a hacker group allegedly residing in China. The perpetrators obtained data from the headquarters’ IT system. The data was only transmitted during work hours, which concealed it in the regular data stream. China distanced itself from the activity claiming the incident was supposed to damage Sino-African relations. |
|||
</div> |
|||
</option> |
|||
<option weight="2"> |
|||
In the context of the incident, the main issue is the responsibility of the host State for providing the security of the international organisation, which is developed in [[Scenario 04: A State’s failure to assist an international organization|Scenario 04]]. |
|||
<!-- INCIDENT 22--> |
|||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Flag of Kazakhstan.svg|left|150px]] |
|||
In January 2022, Kazakhstan experienced massive protests caused by a double rise in fuel prices. During the unrest, the Kazakh authorities [https://netblocks.org/reports/internet-disrupted-in-kazakhstan-amid-energy-price-protests-oy9YQgy3 have taken down the internet] nationwide for about five days, intending to “[https://thediplomat.com/2022/01/information-chaos-in-kazakhstan/ suppress terrorists]”. The exact method leading to the internet shutdown remains unclear; the Kazakh authorities [https://theconversation.com/kazakhstans-internet-shutdown-is-the-latest-episode-in-an-ominous-trend-digital-authoritarianism-174651 probably] rerouted domain name servers (DNS) traffic, cooperated with the internet providers who blocked the transmission, or used an internet kill switch. This caused a total disconnection of the country from the outside world and relevant information and affected citizens’ everyday life. [https://www.accessnow.org/kazakhstan-internet-shutdowns-protests-almaty-timeline-whats-happening/ People struggled] to buy food as cards or mobile payments were disabled, and they could not have withdrawn cash. As the clashes turned violent, security forces used [https://www.hrw.org/news/2022/01/26/kazakhstan-killings-excessive-use-force-almaty extensive force] against protesters, with casualties reaching 225 deaths. Also, the global Bitcoin’s computational power [https://fortune.com/2022/01/05/kazakhstan-internet-bitcoin-mining-mystery-crypto/ vanished temporarily], showing the actual size of the cryptocurrency mining business in Kazakhstan. |
|||
The internet blockage, increasingly used as a means of suppression by authoritarian regimes and repeatedly deployed in Kazakhstan, is explored in [[Scenario 24: Internet blockage|Scenario 24]] of the Toolkit. |
|||
</div> |
</div> |
||
</option> |
</option> |
||
<option weight="4"> |
|||
<!-- INCIDENT 23--> |
|||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Flag of Albania.svg|left|150px]] |
|||
Multiple websites and services of the Government of Albania were [https://www.kryeministria.al/en/newsroom/videomesazh-i-kryeministrit-edi-rama/ rendered unavailable on 15 July 2022] as well as the e-Albania portal, and [https://edition.cnn.com/2022/09/10/politics/albania-cyberattack-iran/index.html on 9 September 2022 the border system of the state police was targeted]; however, other state systems were compromised [https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/ between October 2021 and May 2022]. |
|||
It is speculated that, although Homeland Justice declared its responsibility for the disruptive activity, the cyber operations were carried out by [https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/ four state-sponsored actors with ties to Iran]. |
|||
In response to the July cyber operation, Albania decided to [https://www.reuters.com/world/albania-cuts-iran-ties-orders-diplomats-go-after-cyber-attack-pm-says-2022-09-07/ cut diplomatic ties with Iran]. NATO has declared its support of Albania and [https://www.nato.int/cps/en/natohq/official_texts_207156.htm acknowledged the attribution, by some Allies, of the responsibility for the cyber operations to Iran]. [https://www.politico.com/news/2022/10/05/why-albania-chose-not-to-pull-the-nato-trigger-after-cyberattack-00060347 Albania was also considering invoking] Article 5 of The North Atlantic Treaty, to trigger collective defence, but eventually decided against it. Iran has denied its involvement. |
|||
In the Toolkit, [[Scenario 02: Cyber espionage against government departments|Scenario 02]] considers cyber espionage against government departments and [[Scenario 17: Collective responses to cyber operations|Scenario 17]] addresses collective responses to cyber operations. |
|||
</div> |
|||
</option> |
|||
</choose> |
</choose> |
||
<h2 id="mp-other" style="clear:both; margin:0.5em; background:#bbceed; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; color:#000; padding:0.2em 0.4em;">Quick links</h2> |
<h2 id="mp-other" style="clear:both; margin:0.5em; background:#bbceed; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; color:#000; padding:0.2em 0.4em;">Quick links</h2> |
||
| Line 120: | Line 143: | ||
* [[List_of_articles#Legal_concepts|'''Legal concepts''']] – Overview of all legal concepts from different branches of international law used across the Toolkit content. |
* [[List_of_articles#Legal_concepts|'''Legal concepts''']] – Overview of all legal concepts from different branches of international law used across the Toolkit content. |
||
* [[List_of_articles#Real-world_examples|'''Examples''']] – List of real-world incidents that have inspired the analysis in the Toolkit. |
* [[List_of_articles#Real-world_examples|'''Examples''']] – List of real-world incidents that have inspired the analysis in the Toolkit. |
||
* [[List_of_articles#National_positions|'''National positions''']] |
* [[List_of_articles#National_positions|'''National positions''']] – List of publicly available national positions on the application of international law to cyber operations. |
||
*'''[[Glossary]]''' – Glossary of the technical terms used in the Toolkit. |
*'''[[Glossary]]''' – Glossary of the technical terms used in the Toolkit. |
||
*'''[[Short form citation]]''' – Abbreviated references for the most commonly used citations in the Toolkit. |
*'''[[Short form citation]]''' – Abbreviated references for the most commonly used citations in the Toolkit. |
||
| Line 129: | Line 152: | ||
<h2 id="mp-otd-h2" style="clear:both; margin:0.5em; background:#bbceed; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; color:#000; padding:0.2em 0.4em;">Behind the scenes</h2> |
<h2 id="mp-otd-h2" style="clear:both; margin:0.5em; background:#bbceed; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; color:#000; padding:0.2em 0.4em;">Behind the scenes</h2> |
||
<div id="mp-otd" style="padding:0.1em 0.6em 0.5em;">The project is supported by the following six partner institutions: the [https://www. |
<div id="mp-otd" style="padding:0.1em 0.6em 0.5em;">The project is supported by the following six partner institutions: the [https://www.nukib.cz/en/ Czech National Cyber and Information Security Agency] (NÚKIB), the [https://www.icrc.org International Committee of the Red Cross] (ICRC), the [https://ccdcoe.org/ NATO Cooperative Cyber Defence Centre of Excellence] (CCDCOE), the [https://www.exeter.ac.uk/ University of Exeter], United Kingdom, the [https://usnwc.edu/Research-and-Wargaming/Research-Centers/Stockton-Center-for-International-Law U.S. Naval War College], United States, and [https://en.whu.edu.cn Wuhan University], China. The core of the project team consists of [https://socialsciences.exeter.ac.uk/law/staff/macak/ Dr Kubo Mačák] (University of Exeter) – General Editor; Mr Tomáš Minárik (NÚKIB) – Managing Editor; and Mr Otakar Horák (CCDCOE) – Scenario Editor. <!-- The pilot year of the project (2018/19) was supported through the [https://esrc.ukri.org/collaboration/collaboration-oportunities/impact-acceleration-accounts/ UK ESRC IAA Project Co-Creation] scheme.--> The individual scenarios and the Toolkit as such have been reviewed by a team of over 30 [[People#Peer_reviewers|peer reviewers]]. The Toolkit was formally launched on 28 May 2019 in Tallinn, Estonia; its Chinese launch took place on 2 November 2019 in Wuhan, China; it received its most recent general annual update on 20 October 2022; and it remains continuously updated. For questions about the project including media enquiries, please contact us at cyberlaw@exeter.ac.uk.</div> |
||
|} |
|} |
||
<!-- END OF MIDDLE BOX --> |
<!-- END OF MIDDLE BOX --> |
||
<!-- SECTIONS AT BOTTOM OF PAGE --> |
<!-- SECTIONS AT BOTTOM OF PAGE --> |
||
<!-- CALL FOR SUBMISSIONS SECTION - CURRENTLY NOT IN USE |
|||
<!-- |
|||
<div id="mp-lower" style="padding-top:4px; padding-bottom:2px; overflow:auto; border:1px solid #e2e2e2; overflow:auto; margin-top:4px;"><h2 id="mp-other" style="margin:0.5em; background:#bbceed; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; color:#000; padding:0.2em 0.4em;">Call for submissions</h2> |
<div id="mp-lower" style="padding-top:4px; padding-bottom:2px; overflow:auto; border:1px solid #e2e2e2; overflow:auto; margin-top:4px;"><h2 id="mp-other" style="margin:0.5em; background:#bbceed; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; color:#000; padding:0.2em 0.4em;">Call for submissions</h2> |
||
Cyber Law Toolkit is now inviting submissions for its next general update in |
Cyber Law Toolkit is now inviting submissions for its next general update in 2024. Successful authors will be awarded an honorarium. This call for submissions is open until '''1 December 2023'''. Full text of the call with submission dates and contacts is available for download here: [Https://ccdcoe.org/uploads/2023/10/Cyber-Law-Toolkit-call-for-submissions-2024.pdf Call for submissions (PDF)] --> |
||
--> |
|||
<!-- REMOVED OLD OTHER RESOURCES BOX |
<!-- REMOVED OLD OTHER RESOURCES BOX |
||
<h2 id="mp-other" style="margin:0.5em; background:#eeeeee; border:1px solid #ddd; color:#222; padding:0.2em 0.4em; font-size:120%; font-weight:bold; font-family:inherit;">Other resources</h2> |
<h2 id="mp-other" style="margin:0.5em; background:#eeeeee; border:1px solid #ddd; color:#222; padding:0.2em 0.4em; font-size:120%; font-weight:bold; font-family:inherit;">Other resources</h2> |
||
| Line 152: | Line 174: | ||
</div> |
</div> |
||
<!-- TO ADD A SECTION JUST DELETE THIS LINE... |
<!-- TO ADD A SECTION JUST DELETE THIS LINE... |
||
<h2 id="mp-sister" style="margin:0.5em; background:#eeeeee; border:1px solid #ddd; color:#222; padding:0.2em 0.4em; font-size:120%; font-weight:bold; font-family:inherit;">[EMPTY SECTION]</h2> |
<h2 id="mp-sister" style="margin:0.5em; background:#eeeeee; border:1px solid #ddd; color:#222; padding:0.2em 0.4em; font-size:120%; font-weight:bold; font-family:inherit;">[EMPTY SECTION]</h2> |
||
| Line 191: | Line 212: | ||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:CyberCommand.jpg|left|150px]] |
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:CyberCommand.jpg|left|150px]] |
||
On 20 June 2019, the US Cyber Command launched multiple cyber attacks [https://www.theguardian.com/world/2019/jun/23/us-launched-cyber-attack-on-iranian-rockets-and-missiles-reports disabling] computer systems that controlled Iran’s rocket launchers and [https://www.nytimes.com/2019/08/28/us/politics/us-iran-cyber-attack.html wiping out] a critical database of Iran’s Islamic Revolutionary Guard Corps. The attacks [https://www.nytimes.com/2019/06/22/us/politics/us-iran-cyber-attacks.html were reportedly] a direct response to earlier attacks against oil tankers in the Persian Gulf and the downing of an American surveillance drone after it had [https://www.aljazeera.com/news/2019/06/iran-revolutionary-guard-shoots-spy-drone-report-190620035802427.html allegedly entered] Iran’s airspace. Iran has [https://www.theguardian.com/world/2019/jun/13/a-visual-guide-to-the-gulf-tanker-attacks denied] all responsibility for the tanker attacks. The cyber attacks were conducted the same day that President Trump [https://www.nytimes.com/2019/06/20/world/middleeast/iran-us-drone.html called off] a military strike against Iran and were reportedly intended to remain below the threshold of armed conflict. The Toolkit considers whether specific cyber operations amount to uses of force in [[Scenario 03: Cyber operation against the power grid|scenario 03]] and [[Scenario 14: Ransomware campaign|scenario 14]]. Moreover, [[Scenario 13: Cyber operations as a trigger of the law of armed conflict|scenario 13]] examines when cyber operations may trigger the application of international humanitarian law.</div> |
On 20 June 2019, the US Cyber Command launched multiple cyber attacks [https://www.theguardian.com/world/2019/jun/23/us-launched-cyber-attack-on-iranian-rockets-and-missiles-reports disabling] computer systems that controlled Iran’s rocket launchers and [https://www.nytimes.com/2019/08/28/us/politics/us-iran-cyber-attack.html wiping out] a critical database of Iran’s Islamic Revolutionary Guard Corps. The attacks [https://www.nytimes.com/2019/06/22/us/politics/us-iran-cyber-attacks.html were reportedly] a direct response to earlier attacks against oil tankers in the Persian Gulf and the downing of an American surveillance drone after it had [https://www.aljazeera.com/news/2019/06/iran-revolutionary-guard-shoots-spy-drone-report-190620035802427.html allegedly entered] Iran’s airspace. Iran has [https://www.theguardian.com/world/2019/jun/13/a-visual-guide-to-the-gulf-tanker-attacks denied] all responsibility for the tanker attacks. The cyber attacks were conducted the same day that President Trump [https://www.nytimes.com/2019/06/20/world/middleeast/iran-us-drone.html called off] a military strike against Iran and were reportedly intended to remain below the threshold of armed conflict. The Toolkit considers whether specific cyber operations amount to uses of force in [[Scenario 03: Cyber operation against the power grid|scenario 03]] and [[Scenario 14: Ransomware campaign|scenario 14]]. Moreover, [[Scenario 13: Cyber operations as a trigger of the law of armed conflict|scenario 13]] examines when cyber operations may trigger the application of international humanitarian law.</div> |
||
</option> |
|||
<!-- INCIDENT 9 |
|||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Unemblem.gif|left|150px]] |
|||
On 29 January 2020, ''The New Humanitarian'' [https://www.thenewhumanitarian.org/investigation/2020/01/29/united-nations-cyber-attack?utm_source=The+New+Humanitarian&utm_campaign=c8dddbbc45-EMAIL_CAMPAIGN_2020_01_29&utm_medium=email&utm_term=0_d842d98289-c8dddbbc45-75573037 reported] that dozens of servers were “compromised” at the United Nations offices in Geneva and Vienna. The attack dated back to July 2019 and affected staff records, health insurance, and commercial contract data. According to an unnamed UN official cited in an Associated Press [https://apnews.com/0d958e15d7f5081dd612f07482f48b73 report] on the same day, the level of sophistication was so high that it was possible a State-backed actor might have been behind it. Within the Toolkit, [[Scenario 04: A State’s failure to assist an international organization|Scenario 04]] specifically considers a hypothetical situation in which an international organization falls victim to cyber attacks, the impact of which could and should have been averted by the host State.</div> |
|||
</option> |
|||
<option> |
|||
<!-- INCIDENT 10 |
|||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:EUCouncil.png|left|150px]] |
|||
On 30 July 2020, the Council of the European Union [https://www.consilium.europa.eu/en/press/press-releases/2020/07/30/eu-imposes-the-first-ever-sanctions-against-cyber-attacks/ decided] to impose restrictive measures against six individuals and three entities considered to be responsible for or involved in various hostile cyber operations. These included the [[Attempted hack of the OPCW (2018)|attempted hack of the Organization for the Prohibition of Chemical Weapons (OPCW)]] and the [[WannaCry (2017)|WannaCry]] and [[NotPetya (2017)|NotPetya]] incidents. The sanctions imposed included a travel ban and an asset freeze. In addition, EU persons and entities were prohibited from making funds available to those listed. This was the first time the EU has imposed restrictive measures of this kind. Within the Toolkit, [[Scenario 04: A State’s failure to assist an international organization|Scenario 04]] specifically considers a hypothetical situation in which an international organization falls victim to cyber attacks, and [[Scenario 17: Collective responses to cyber operations|Scenario 17]] discusses the legality of targeted restrictive measures of this kind from the perspective of international law.</div> |
|||
</option> |
|||
<option> |
|||
<!-- INCIDENT 11 |
|||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Brno_(znak).svg|left|150px]] |
|||
On 13 March 2020, Brno University Hospital, the second-largest hospital in the Czech Republic, at the time also providing COVID-19 testing capacities, was [[Brno University Hospital ransomware attack (2020)|targeted by ransomware]]. The hospital was forced to shut down its entire IT network, postpone urgent surgical interventions, and reroute patients to other nearby hospitals. It took several weeks before the hospital was fully operational again. [[Scenario 14: Ransomware campaign|Scenario 14]] in the Toolkit provides the legal analysis of a ransomware campaign against municipal and health care services abroad; [[Scenario 20: Cyber operations against medical facilities|Scenario 20]] and [[Scenario 23: Vaccine research and testing|Scenario 23]] both focus on various cyber operations against hospitals.</div> |
|||
</option> |
|||
<option> |
|||
<!-- INCIDENT 12 |
|||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Microsoft_Exchange_(2019-present).svg|left|150px]] |
|||
On 2 March 2021, Microsoft issued a [https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ statement] about multiple zero-day exploits in its Exchange Server email software and urged customers to update their systems using a patch released at the same time. Nevertheless, malicious cyber activities escalated, resulting in more than [https://edition.cnn.com/2021/03/10/tech/microsoft-exchange-hafnium-hack-explainer/index.html 250,000 affected customers globally] (including governments as well as the private sector) and involving at least [https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/?utm_source=Twitter&utm_medium=cpc&utm_campaign=WLS_apt_groups&utm_term=WLS_apt_groups&utm_content=blog 10 APT groups]. The original campaign was [https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ attributed] by Microsoft to ‘Hafnium’, described as a State-sponsored group operating out of China. The hackers used the exploits to gain access to victim organisations’ email systems and to install malware allowing them to maintain long-term access to files, inboxes, and stored credentials. [[Scenario 02: Cyber espionage against government departments|Scenario 02]] of the Toolkit analyses cyber espionage against government departments; economic cyber espionage is discussed in [[Scenario 09: Economic cyber espionage|Scenario 09]].</div> |
|||
</option> |
|||
<option> |
|||
<!-- INCIDENT 13 |
|||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Solarwinds.svg|left|150px]] |
|||
On 13 December 2020, FireEye [https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html announced] the discovery of an ongoing supply chain attack that trojanized SolarWinds Orion business software updates in order to distribute malware. The [https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12?r=US&IR=T victims] included many U.S. governmental organisations (such as the Department of Homeland Security, the Department of Energy, or the Treasury) and businesses (including Microsoft, Cisco, or Deloitte). Once the systems were infected, hackers could transfer files, execute files, profile the system, reboot the machines, or disable system services. The U.S. government has [https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure attributed] the attack to an ‘Advanced Persistent Threat Actor, likely Russian in origin’. Even though the campaign’s full scope remains unknown, recovering from the hack and conducting investigations may take up to [https://www.technologyreview.com/2021/03/02/1020166/solarwinds-brandon-wales-hack-recovery-18-months/ 18 months]. In the Toolkit, data theft and cyber espionage against government departments are analysed in [[Scenario 02: Cyber espionage against government departments|Scenario 02]]. Given that private sector organizations were among the victims, [[Scenario 09: Economic cyber espionage|Scenario 09]] on economic cyber espionage is also relevant.</div> |
|||
</option> |
|||
<option> |
|||
<!-- INCIDENT 16 |
|||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Emblem of the African Union.svg|left|150px]] |
|||
The first sign of an [[African Union headquarters hack (2020)|malicious cyber activity targeting the headquarters of the African Union in Addis Ababa]] was spotted in January 2020. The suspected actor is the "Bronze President", a hacker group allegedly residing in China. The perpetrators obtained data from the headquarters’ IT system. The data was only transmitted during work hours, which concealed it in the regular data stream. China distanced itself from the activity claiming the incident was supposed to damage Sino-African relations. |
|||
In the context of the incident, the main issue is the responsibility of the host State for providing the security of the international organisation, which is developed in [[Scenario 04: A State’s failure to assist an international organization|Scenario 04]]. |
|||
</div> |
|||
</option> |
|||
<option weight="2"> |
|||
<!-- INCIDENT 21 |
|||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Universitaetsklinikum-Duesseldorf-Logo.png|left|150px]] |
|||
In September 2020, the German University Hospital in Düsseldorf was forced to reduce healthcare service due to a [https://www.wired.co.uk/article/ransomware-hospital-death-germany ransomware attack] that crippled its systems. The attackers managed to compromise 30 clinic’s servers, reducing its capacity by [https://www.rtl.de/cms/hacker-angriff-auf-uniklinik-duesseldorf-starb-eine-patientin-wegen-einer-erpressung-4615184.html fifty per cent] for several days. This ransomware campaign with [https://www.thelocal.de/20200922/german-experts-see-russian-link-in-deadly-hospital-hacking/ links to Russian groups] is known worldwide because a woman has died when taken into a distant hospital that could accept her, even though her death was later [https://www.technologyreview.com/2020/11/12/1012015/ransomware-did-not-kill-a-german-hospital-patient/ not concluded] as a result of the attack. The attack was most likely a mistake since the perpetrators left a note in a code addressed to Heinrich Heine University. Once the hackers were informed about their misstep, they [https://www.healthcareitnews.com/news/hospital-ransomware-attack-leads-fatality-after-causing-delay-care stopped and provided] the hospital with the encryption key without any ransom demands before [https://www.bbc.com/news/technology-54204356 cutting the communication]. Even though no data has been lost, this ransomware campaign once again showed how the healthcare sector is vulnerable to cyber attacks. |
|||
In the Toolkit, [[Scenario 20: Cyber operations against medical facilities|Scenario 20]] focuses directly on cyber operations against medical facilities. Given that the hospital suffered a ransomware attack, [[Scenario 14: Ransomware campaign|Scenario 14]] exploring the ransomware campaign is also relevant. |
|||
</div> |
|||
</option> |
</option> |
||
END OF REMOVED INCIDENTS --> |
END OF REMOVED INCIDENTS --> |
||
Revision as of 10:00, 8 March 2024
About the projectThe Cyber Law Toolkit is a dynamic interactive web-based resource for legal professionals who work with matters at the intersection of international law and cyber operations. The Toolkit may be explored and utilized in a number of different ways. At its core, it presently consists of 28 hypothetical scenarios. Each scenario contains a description of cyber incidents inspired by real-world examples, accompanied by detailed legal analysis. The aim of the analysis is to examine the applicability of international law to the scenarios and the issues they raise. You can see all scenarios in the box immediately below – just click on any of them to follow the relevant analysis. In addition, you may want to explore the Toolkit by looking for keywords you’re interested in; by viewing its overall article structure; by browsing through the national positions on international law in cyberspace; or by reading about individual real-world examples that serve as the basis of the Toolkit scenarios. Finally, you may want to use the search function in the top right corner of this page to look for specific words across all of the Toolkit content.
Cyber law scenarios |
Featured incident On 14 May 2021, a ransomware attack targeted the Irish national healthcare service on both national and local levels, including several hospitals that had to cancel planned procedures. The day before, National Cyber Security Centre informed about a potential threat inside the Department of Health network, which spoiled the efforts of ransomware infiltration. The Department’s IT systems were preemptively shut down. The criminal investigation is focusing on the Wizard Spider gang that is operating from Saint Petersburg in Russia according to intelligence agencies. The Minister for Foreign Affairs of Ireland Simon Coveney said he has spoken to his Russian counterpart, Sergey Lavrov, about the cyber attack. Although most of the systems were operable a month later, its complete recovery may take up to 6 months. In the Toolkit, Scenario 14 explores the legal questions regarding ransomware extortion campaigns. Given the indirect involvement of a State, Scenario 06 deals with the possible countermeasures deployed against an enabling State. Scenario 20 focuses on cyber operations against medical facilities. Quick links
Behind the scenesThe project is supported by the following six partner institutions: the Czech National Cyber and Information Security Agency (NÚKIB), the International Committee of the Red Cross (ICRC), the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), the University of Exeter, United Kingdom, the U.S. Naval War College, United States, and Wuhan University, China. The core of the project team consists of Dr Kubo Mačák (University of Exeter) – General Editor; Mr Tomáš Minárik (NÚKIB) – Managing Editor; and Mr Otakar Horák (CCDCOE) – Scenario Editor. The individual scenarios and the Toolkit as such have been reviewed by a team of over 30 peer reviewers. The Toolkit was formally launched on 28 May 2019 in Tallinn, Estonia; its Chinese launch took place on 2 November 2019 in Wuhan, China; it received its most recent general annual update on 20 October 2022; and it remains continuously updated. For questions about the project including media enquiries, please contact us at cyberlaw@exeter.ac.uk.
|
