Scenario 04: A State’s failure to assist an international organization

From International cyber law: interactive toolkit
Jump to navigation Jump to search
© NATO CCD COE

An international organization falls victim to cyber attacks, the impact of which could and should have been averted by the host state. The scenario explores the obligation of due diligence on the part of the host state and whether and under what circumstances the international organization may resort to countermeasures.

1 Scenario[edit | edit source]

1.1 Keywords[edit | edit source]

Countermeasures, international organisation, legal personality, malware

1.2 Facts[edit | edit source]

[F1] The regional headquarters (RHQ) of the international organization Z is located in State A, which is also a Member State of the organization. The status of the RHQ is governed by a host agreement between State A and organization Z. The agreement establishes, among other things, (1) a scheme of regular monthly payments by organization Z to State A in return for the provision of communications, security, and other services; and (2) a duty of State A to “render all practicable assistance to [organization Z] in the fulfilment of its functions, including […] the provision of security of communications and information systems”.

[F2] In the meantime, security researchers at a government CERT in State B, which is not a Member State of organization Z, discover a large-scale APT attack that targets several public and private institutions in various countries. After they determine that the computer network of organization Z’s RHQ in State A has also been compromised, they submit a confidential report of their findings to the CERT in that State including recommendations of specific measures to be taken.

[F3] Several days later, key systems of RHQ computer network cease to operate due to data encrypting ransomware and it is later confirmed that the malware does not actually preserve the encryption key and that therefore all encrypted data has been irretrievably lost.

[F4] The fact that many RHQ staff have been locked out of their devices, combined with the loss of data, means that the international organization experiences a significant disruption to its activities in the entire region. The independent confidential report is soon leaked to the press, exposing the State A as having left the organisation “at the mercy” of foreign hackers.

[F5] Aggrieved by these revelations, the organization ceases all payments to State A and issues a public statement noting that it does not intend to reinstate the payments until the State compensates it for all damage incurred by the cyber attack and provides credible reassurance that an incident of this kind will not happen in the future. The origin of the attack remains unknown.

1.3 Examples[edit | edit source]

2 Legal analysis[edit | edit source]

For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The analysis in this scenario first considers whether State A violated any of its international obligations owed to international organization Z. In the second section, it zones in on the question whether the measures the organization took in response can be qualified as lawful countermeasures against State A.

2.1 Breach of obligations owed to international organizations[edit | edit source]

[L2] It has long been established that international organizations may possess legal personality under international law.[1] Those that do, qualify as subjects of international law and are therefore capable of possessing international rights and duties.[2] In specific circumstances, States may dispute whether a particular organization possesses legal personality.[3] However, given that in the present scenario, State A is a member of the international organization Z which has its own regional headquarters to fulfill its own functions, the legal personality of organization Z is at least implicitly recognized by State A. Similarly, the fact that State A concluded the host agreement with organization Z suggests that it recognizes the latter's legal personality.[4]

[L3] There is no general rule of international law that would specifically prohibit interference with the cyber infrastructure of an international organization. Cyber operations against the infrastructure of an international organization located in the territory of a particular State may simultaneously infringe international legal rights of that State, which then becomes entitled to respond to the breach.[5] However, that solution is manifestly not available in a situation where the potentially responsible party is the territorial State itself—as in the present scenario. In other words, a specific obligation owed by the State to the organization must be identified.[6]

[L4] An obligation of this kind may arise from an international treaty between a State and an international organization. State A is indeed under the duty to “render all practicable assistance to [organization Z] in the fulfillment of its functions, including […] the provision of security of communications and information systems”, an obligation paralleled in other existing host agreements.[7]

[L5] Firstly, the obligation of State A to provide all practicable assistance to international organization Z is an obligation of conduct and not of result. State A is thus not responsible for the fact that negative consequences had materialized in the form of the loss of data and the need to repair the attacked cyber infrastructure belonging to organization Z.[8] Whether a State’s actual conduct corresponds with that required by an obligation of conduct is determined by reference to the criterion of due diligence.[9] Accordingly, the State’s failure to act on the report in any way whatsoever is legally relevant. Irrespective of the factual consequences of the State’s conduct, it will be in breach of its obligation if its actual conduct does not correspond to the conduct required by the obligation.[10]

[L6] Secondly, it must be assessed whether State A had actual or constructive knowledge that would have prompted it to take necessary action to provide practicable assistance. The mere fact that State A[11] was informed by the CERT in State B of the risk that malicious actors may soon seize control over the computers in the regional office is not sufficient to establish the knowledge. It is possible, and even reasonably expected, that State A needed time to verify the accuracy and credibility of the information provided by the CERT in State B. Depending on the structure of information flow within State A, it may take several days or even longer for the particular report to be processed. However, after the incident has occurred, State A cannot claim the lack of knowledge as a justification for failing to provide practicable assistance as required under the attendant circumstances.

[L7] Thirdly, although the extent of required conduct will vary from case to case, State A is required to take feasible action to assist organization Z in the fulfillment of its functions.[12] For example, State A could have provided organization Z with a back-up computer system to restore the functionality of computer network in cases where key systems failed to operate for any reason. After the incident has taken place, it is also reasonable to expect State A to provide additional resources to restore the computer network necessary for organization Z to perform its functions. However, whether these actions are indeed feasible must be assessed reasonably on a case-by-case basis in light of all attendant circumstances.[13]

[L8] Applied to the present scenario, the above considerations suggest that State A is unlikely to have met the standard of due diligence against which its compliance with the obligation to render all practicable assistance is measured. As such, State A would have violated its obligation owed to international organization Z under the host agreement. Moreover, this violation would have been of a continuing character, persisting for as long as State A’s inaction inconsistent with its international obligations continued.[14]

2.2 Countermeasures by international organizations[edit | edit source]

[L9] This section focuses on the question whether, and to what extent, international organization Z may respond to the breach of the host agreement by State A by taking measures that would otherwise be unlawful under international law. Conversely, it does not consider the related question of suspension or termination of treaty relations between State A and international organization Z on account of a supposed material breach of the host agreement.[15]

[L10] To begin with, it follows from the fact of an international organization’s legal personality that if its rights had been infringed by another subject of international law, the organization must have the right to invoke that subject’s international responsibility.[16] In particular, the organization may demand the cessation of the internationally wrongful act as well as reparation for the injury suffered.[17] However, it is not universally accepted that an international organization may resort to countermeasures in order to procure such cessation and/or reparation. Those who object against such capacity on part of international organizations under the extant international law point to the absence of practice in the area.[18] However, in the decentralized international legal order, the right to invoke the responsibility of other subjects must entail the right to resort to the permissible means of enforcement that have evolved under international law.[19] To hold otherwise would be to deprive international organizations of the ability to effectively protect their rights and thus to nullify the legal effect of their legal personality. The view that international organizations may take countermeasures is additionally supported by the International Law Commission and several international organizations and States.[20]

[L11] The interruption of payments owed to State A under the terms of the host agreement amounts to a clear breach of organization Z’s international obligations. In order for this conduct to be considered a countermeasure and, as such, internationally lawful, several conditions must be fulfilled.

[L12] In particular, the injured international organisation must first call upon the responsible party to fulfil its obligations of cessation and reparation,[21] and it must notify the latter of its intention to take countermeasures, while offering to negotiate[22] (condition 1); any countermeasures taken must comply with the principle of proportionality[23] (condition 2); they must be, as far as possible, temporary in nature[24] and terminate as soon as the responsible party has fulfilled its relevant obligations[25] (condition 3); and they must not violate obligations under peremptory norms of general international law (condition 4).[26]

[L13] In the present case, condition 1 appears not to have been met: international organization Z would have been advised to communicate its demands and intentions to State A prior to interrupting the payments required under the host agreement. Exceptionally, the injured party may dispense with the notification requirement and take “urgent countermeasures”, but this exception is limited to those measures that are necessary to preserve that entity’s rights.[27] No such urgency seems to be substantiated under the terms of the scenario. Moreover, the UK Attorney General has recently suggested that the notification requirement may not apply in the cyber context if it entailed the exposition of “highly sensitive capabilities in defending the country”.[28] Whatever the status of this supposed additional exception under international law, it would clearly be inapplicable to the present set of facts.

[L14] Condition 2 requires that any countermeasures taken must be commensurate with the injury suffered, taking into account the gravity of the internationally wrongful act and the rights in question.[29] This requirement of proportionality does not imply that the response must be equivalent, reciprocal or even in-kind: “[n]on-cyber countermeasures may be used in response to an internationally wrongful act involving cyber operations, and vice versa”.[30] In the present case, international organization Z would likely be able to make a solid case that the measures it took in response were proportionate to the injury suffered. This is because until the effects of the malicious cyber operation against it are remedied, the organization will not be able to resume its activities. Accordingly, the cessation of payments to State A for the provision of communications, security, and other services appears to be directly tied to the rights infringed and not excessive to what is needed for the vindication of those rights. As such, the measures taken by Z can be considered as compliant with the criterion of proportionality.

[L15] Condition 3 requires that countermeasures must be terminated as soon as the responsible party has complied with its cessation and reparation obligations. In this regard, the statement by international organization Z seems to closely follow the relevant legal requirements. As noted above, at that time, State A’s inaction qualified as a breach of its international obligations having a continuing character.[31] Suppose that State A would subsequently agree to provide adequate reparation by, for example, repairing the damaged cyber infrastructure, paying appropriate compensation, and introducing effective measures to avoid the repetition of similar incidents. In that case, any countermeasures would no longer be justified and international organization Z would have to resume all its duties under the host agreement.

[L16] The described countermeasures do not violate obligations under peremptory norms (condition 4).

[L17] In conclusion, although organization Z was in principle entitled under international law to resort to countermeasures, under the circumstances of the present scenario, the cessation of payments to State A did not meet one of the necessary criteria (condition 1 above) and as such it amounted a violation of international law by the organization.

3 Checklist[edit | edit source]

  • Does the international organization in question possess international legal personality?
  • Does the constituent instrument of the international organization contain any relevant duties owed to it by its member States?
  • Do the relevant obligations qualify as obligations of conduct or result?
  • Would the measures taken in response by the international organization amount to a breach of its obligations to the acting State?
  • Can the measures taken in response be qualified as lawful countermeasures against the acting State?

4 Appendixes[edit | edit source]

4.1 See also[edit | edit source]

4.2 Notes and references[edit | edit source]

  1. Reparation for Injuries Suffered in the Service of the United Nations (Advisory Opinion) [1949] ICJ Rep 174, 179.
  2. Reparation for Injuries Suffered in the Service of the United Nations (Advisory Opinion) [1949] ICJ Rep 174, 179; cf. also ILC DARIO, Art 2 (defining an IO as being ‘established by a treaty or other instrument governed by international law and possessing its own international legal personality’) (emphasis added).
  3. See, eg, N White, The Law of International Organizations (2nd edn, Juris 2005) 30–69.
  4. Cf. 'Sixth report on unilateral acts of States' (30 May 2003) (by Mr. Victor Rodríguez Cedeño, Special Rapporteur) UN Doc A/CN.4/534 58 para 28 (“When a State … concludes an agreement with an entity that it has not recognized as such, it will be recognizing it from that point in time onwards or from the point in time at which the act is established.”).
  5. Cf. Tallinn Manual 2.0, part I, chapter 4, section 4, chapeau, para. 9 (noting that the territorial State may assert a violation of its own sovereignty by virtue of the operation’s destructive effects that manifest on its territory; and that it may use force to respond in self-defence if the cyber operation rises to the level of an armed attack).
  6. Cf. Reparation for Injuries Suffered in the Service of the United Nations (Advisory Opinion) [1949] ICJ Rep 174, 182 (requiring “that the injury for which the reparation is demanded arises from a breach of an obligation designed to help an agent of the Organization in the performance of his duties” while noting that it would not be sufficient for the wrongful act or omission to “merely constitute a breach of the general obligations of a State”).
  7. [ADD REF TO HOST AGMTS]; see also Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) Art 2(5) (“All Members shall give the United Nations every assistance in any action it takes in accordance with the present Charter”).
  8. R Wolfrum, ‘Obligation of Result Versus Obligation of Conduct: Some Thoughts About the Implementation of International Obligations’ in MH Arsanjani et al (eds), Looking to the Future: Essays on International Law in Honor of W. Michael Reisman (Brill 2010) 375–76.
  9. J Kulesza, Due Diligence in International Law (Brill 2016) 266 (“The principle of due diligence applied to the obligations of conduct serves as criteria for assessing state compliance with a given duty, regardless of the consequences of a particular state action or omission.”). The notion of due diligence understood in this sense (i.e., as a standard against which the compliance with a duty is assessed) should be distinguished from the self-standing obligation of due diligence understood as a duty of each State not to allow its territory to be used in a way that affects the rights of other States. Due diligence in this latter sense is considered in particular in scenarios 05, 06, and 07.
  10. ILC Articles on State Responsibility, Art 12.
  11. A government-run CERT is undoubtedly an organ of the State and its action or inaction is thus fully attributable to the State in question. See also ILC Articles on State Responsibility, commentary to Art 4, para 6 (noting that “the reference to a State organ in article 4 is intended in the most general sense”).
  12. Cf. Tallinn Manual 2.0, commentary to rule 7, para 2 (“The due diligence principle is a legal obligation that is violated by omission. In this regard, omission not only encompasses inaction, but also the taking of ineffective or insufficient measures when other more appropriate measures are feasible, that is, reasonably available and practicable.”) (emphasis added).
  13. Cf. Interpretation of the Agreement of 25 March 1951 between the WHO and Egypt (Advisory Opinion) [1980] ICJ Rep 96, para 49 (“[W]hat is reasonable and equitable in any given case must depend on its particular circumstances.”); Wemhoff v Germany App no 2122/64 para. 10 (ECtHR, 27 June 1968) (“reasonableness … must be assessed in each case according to its special features”).
  14. Cf. ILC Articles on State Responsibility, Art 14(2) (“The breach of an international obligation by an act of a State having a continuing character extends over the entire period during which the act continues and remains not in conformity with the international obligation.”).
  15. See also ILC Articles on State Responsibility, Pt. Three, chapter II, para 4 (“Countermeasures are to be clearly distinguished from the termination or suspension of treaty relations on account of the material breach of a treaty by another State, as provided for in article 60 of the 1969 Vienna Convention. Where a treaty is terminated or suspended in accordance with article 60, the substantive legal obligations of the States parties will be affected, but this is quite different from the question of responsibility that may already have arisen from the breach.”).
  16. Cf. Reparation for Injuries Suffered in the Service of the United Nations (Advisory Opinion) [1949] ICJ Rep 181-182; N White, The Law of International Organizations (2nd edn, Juris 2005) 45.
  17. Reparation for Injuries Suffered in the Service of the United Nations (Advisory Opinion) [1949] ICJ Rep 183-185.
  18. See, eg, Tallinn Manual 2.0, commentary to rule 31, para. 27 in fine (“Other Experts in the majority did not subscribe to this view, again citing the lack of practice in the area.").
  19. Cf. F Dopagne, ‘Sanctions and Countermeasures by International Organizations’, in R Collins and N White (eds) International Organizations and the Idea of Autonomy (Routledge 2011) 181.
  20. See, ILC DARIO, Art 51, paras 1–3; see also ILC Yearbook 1979 II-1 44 para 94 (“We might hypothesize the simpler case where [an international] organization denies to a State which has seriously and persistently violated an obligation towards the organization itself, the financial or technical assistance which the latter has pledged to provide under the terms of an agreement. In such a situation, it is surely beyond doubt that such measures would not be wrongful.”)
  21. ILC Articles on State Responsibility, Art.52(1)(a); according to ILC DARIO, Commentary to Art 22 para 2, ASR are applied per analogiam, because DARIO do not regulate additional conditions for countermeasures of international organisations against States, only vice versa: compare DARIO Part Four, Art 43-57.
  22. ILC Articles on State Responsibility, Art. 52(1)(b) per analogiam.
  23. ILC Articles on State Responsibility, Art. 51 per analogiam.
  24. ILC Articles on State Responsibility, Art. 49(2) and (3) per analogiam.
  25. ILC Articles on State Responsibility, Art. 53 per analogiam.
  26. ILC Articles on State Responsibility, Art. 50 per analogiam.
  27. ILC Articles on State Responsibility, commentary to Art. 52 para 1,6 per analogiam.
  28. UK Attorney General speech 2018 (“The covertness and secrecy of the countermeasures must of course be considered necessary and proportionate to the original illegality, but we say it could not be right for international law to require a countermeasure to expose highly sensitive capabilities in defending the country in the cyber arena, as in any other arena.”).
  29. ILC Articles on State Responsibility, Art. 51 per analogiam.
  30. Tallinn Manual 2.0, commentary to rule 23, para 7.
  31. Cf. ILC Articles on State Responsibility, Art 14(2) (on obligations having a continuing character); see also section “Breach of obligations owed to international organizations” above.

4.3 Bibliography and further reading[edit | edit source]

  • Frederic Dopagne, ‘Sanctions and Countermeasures by International Organizations’, in Richard Collins and Nigel White (eds) International Organizations and the Idea of Autonomy (Routledge 2011).
  • Joanna Kulesza, Due Diligence in International Law (Brill 2016) 266.
  • Michael N Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017).
  • Nigel White, The Law of International Organizations (Juris 2005).
  • Rüdiger Wolfrum, ‘Obligation of Result Versus Obligation of Conduct: Some Thoughts About the Implementation of International Obligations’ in MH Arsanjani et al (eds), Looking to the Future: Essays on International Law in Honor of W. Michael Reisman (Brill 2010).

4.4 Contributions[edit | edit source]

Previous: Scenario 03: Power grid Next: Scenario 05: Criminal investigation