Scenario 07: Leak of State-developed hacking tools

From International cyber law: interactive toolkit
Jump to navigation Jump to search
© maradon 333. Licensed from Shutterstock.

This scenario concerns the leak of State-developed hacking tools, the failure of a State to inform software companies of vulnerabilities in their products, and the repurposing of the hacking tools for criminal purposes. The legal analysis of this scenario examines the obligation of due diligence, the obligation to respect sovereignty, and the prohibition of intervention.

1 Scenario[edit | edit source]

1.1 Keywords[edit | edit source]

Malware, sovereignty, prohibition of intervention, due diligence

1.2 Facts[edit | edit source]

[F1] A website appears on the Internet, offering the sale of various hacking tools, including zero-day vulnerabilities, spyware, and ready-made exploits. The sellers allege that all of the tools on offer had been developed by State A’s intelligence services (incident 1). Independent security researchers confirm that the advertised tools indeed resemble a number of different tools previously used in cyber operations in which State A had been implicated. After initial hesitation, State A officials confirm the leak of the hacking tools caused by unknown attackers.

[F2] Website hosting the tools is immediately noticed by the authorities and the content is taken down. However, once exposed on the Internet, the tools are considered as leaked and almost certainly spreading further.

[F3] Software companies whose products are said to contain the vulnerabilities launch a formal protest with State A for not having informed them of the existence of those vulnerabilities, before and especially after the leak (incident 2).

[F4] The tools are later repurposed by State B’s military unit and used in a ransomware (or mock ransomware) campaign, causing substantial losses globally, including paradoxically in State A. In particular, the spread of the ransomware results in the encryption of data in several of State A’s governmental information systems (incident 3). The facts as stated above have been verified by independent security researchers.

1.3 Examples[edit | edit source]

2 Legal analysis[edit | edit source]

For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The legal analysis of the present scenario is divided into four parts: the first two parts discuss the potential responsibility of State A due to a breach of the obligation of due diligence and the following two parts deal with the potential responsibility of State B for a violation of sovereignty and prohibited intervention based on the ransomware campaign.

2.1 Attribution to State A[edit | edit source]

[L2] Internationally wrongful acts of States may consist of actions as well as of omissions.[1] However, whether there is an omission relevant for the purposes of attribution is intertwined with the existence of a concomitant international obligation and, therefore, with the identification of a subject by which this obligation is owed.[2] It is in this sense that the failure of State A to prevent the theft of its tools (incident 1) and to report the existence of specific vulnerabilities to software manufacturers (incident 2) must be assessed.

[L3] Attribution of incident 3 to State A is not realistic. State A would only be responsible for the conduct of State B’s military unit if the unit was placed at the disposal of State A and acting in the exercise of elements of the governmental authority of State A (see attribution).[3]

2.2 Breach of an international obligation by State A[edit | edit source]

2.2.1 Due diligence[edit | edit source]

Due diligence
According to the traditional formulation by the ICJ in the Corfu Channel case, every State is under an “obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States”.[4] In the cyber context, the UN General Assembly urged States already in 2000 to “ensure that their laws and practice eliminate safe havens for those who criminally misuse information technologies”.[5]

It is the matter of some controversy whether the principle of due diligence reflects a binding obligation applicable to cyber operations.[6] It has also been proposed that in the cyber context, it is preferable to construe due diligence as a standard of attribution rather than as a standalone primary rule of international law.[7] Nevertheless, the present analysis proceeds on the basis that as a matter of lex lata, due diligence constitutes a general international obligation for every State not to knowingly allow its territory to be used for internationally wrongful acts using cyber means. This view has also been unanimously endorsed by the drafters of the Tallinn Manual 2.0.[8]

Due diligence does not entail a duty of prevention,[9] but rather an obligation of conduct.[10] A State breaches its due diligence obligation in the presence of the following cumulative elements:

  1. The existence of acts (by a non-State actor or a third State) contrary to the rights of a victim State,[11]
  2. which are conducted from or through the territory of the potentially responsible State (or from or through the territory or cyber infrastructure under its control),[12]
  3. which would have been unlawful if conducted by the potentially responsible State,[13]
  4. which have serious adverse consequences for the victim State,[14]
  5. with respect to which the potentially responsible State has actual or constructive knowledge,[15] and
  6. upon which the potentially responsible State can act, but fails to take all feasible measures.[16]

[L4] These elements are analysed below, one by one:

  1. The leak of the hacking tools and failure to inform the software manufacturers from State A (incidents 1-2) could be contrary to the rights of third States, because it makes their cyber infrastructure more vulnerable to malicious activities. However, the leak is a fairly remote cause of the malicious activities, because an intervening act of a malicious actor is required; it is, therefore, questionable whether the consequence can still be attributed to State A.
  2. The leak utilised the computer systems (cyber infrastructure) of State A. However, it is questionable if the leak itself is the harmful activity: rather, the abuse of the hacking tools is. Nevertheless, even if cyber infrastructure is interpreted broadly to include software[17] such as some of the hacking tools originally developed by State A, these tools were nonetheless no longer under the sole control of State A when they were repurposed and used to cause harm to third parties.
  3. If State A had purposefully sold or transferred their hacking tools to a third party, be it a State or a non-State actor, it would be responsible for further operations utilizing the hacking tools only if the further operations were attributable to State A – for instance, if State A also exercised direction and control over the non-State actor - and those operations amounted to a breach of an international legal obligation.
  4. The leak led to substantial losses, which might qualify as “serious adverse consequences” if they cause, for instance, serious disruptions of societal functions, but again, the leak is causally remote from these consequences.
  5. State A knew about the leak. The scenario does not say since when exactly, but it is assumed that State A knew at the latest when the origin of the hacking tools was confirmed by independent researchers.
  6. State A did not inform the software manufacturers, which could have mitigated the consequences. This was an omission on its part.

[L5] In sum, it would be difficult to determine a breach of a due diligence obligation by State A. The major stumbling blocks are the absence of an unqualified international obligation not to transfer State hacking tools to third parties (condition 3), remoteness of the causality (conditions 1 and 4), and the uncertainty about the seriousness of the adverse consequences (condition 4).

2.3 Attribution to State B[edit | edit source]

[L6] Incidents 1-2 are not attributable to State B – there is no indication of State B’s involvement in the leak of vulnerabilities. Incident 3 (the ransomware campaign) is attributable to State B, because the operation was conducted by one of its military units, which qualifies as an organ of the State.[18]

2.4 Breach of an international obligation by State B[edit | edit source]

2.4.1 State B’s obligation not to violate the sovereignty of State A[edit | edit source]

Sovereignty
Sovereignty is a core principle of international law. According to a widely accepted definition of the term in the 1928 Island of Palmas arbitral award,

[s]overeignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State.[19]

Multiple declarations by the UN,[20] NATO,[21] OSCE,[22] the European Union,[23] and individual States have confirmed that international law applies in cyberspace. Accordingly, so too does the principle of sovereignty. However, there is some debate as to whether this principle operates as a standalone rule of international law, the breach of which gives rise to state responsibility.
  • For the proponents of this view, the prohibition on violating the sovereignty of other States is a substantive primary rule of international law, the breach of which is an internationally wrongful act. This view was unanimously accepted by the experts who prepared the Tallinn Manual 2.0[24] and it was reportedly not challenged by any of the over fifty States that participated in the process of consultations regarding the Manual prior to its publication in 2017.[25]
  • By contrast, the opposing view is that sovereignty is a principle of international law that may guide State interactions, but it does not amount to a standalone primary rule.[26] This view has now been adopted by one State, the United Kingdom.[27] By this approach, cyber operations never violate the sovereignty of a State, although they may constitute prohibited intervention, use of force or other internationally wrongful acts.

The remainder of this section proceeds on the basis of the former “sovereignty-as-rule” approach. Those espousing the latter “sovereignty-as-principle” approach should refer to other relevant sections of the legal analysis (such as that on the prohibition of intervention).

It is understood that sovereignty has both an internal and an external component.[28] In the cyber context, the “internal” facet of sovereignty entails that “[a] State enjoys sovereign authority with regard to the cyber infrastructure, persons, and cyber activities located within its territory, subject to its international legal obligations.”[29][30]

As a general rule, each State must respect the sovereignty of other States.[31] It is clear that a cyber operation with severe destructive effects, comparable to a "non-cyber" armed attack or a use of force against a State, constitutes a violation of its sovereignty; however, with more subtle cyber operations, the question is far from settled.[32]

The following modalities, highlighted in the Tallinn Manual 2.0, represent different ways of determining what a “sovereignty violation” might mean in the context of cyber operations:

  1. A State organ conducting cyber operations against a target State or entities or persons located there while physically present in the target State's territory violates the target State's sovereignty.[33] This was agreed by all Experts drafting the Manual; however, “a few” of the Experts thought that the extensive State practice carved out an exception for espionage operations.[34]
  2. Causation of physical damage or injury by remote means;[35] again, “a few” Experts took the position that this is a relevant but not a determinative factor by itself.[36]
  3. Causation of a loss of functionality of cyber infrastructure: although the Tallinn Manual 2.0 experts agreed that a loss of functionality constituted “damage” and thus a breach of sovereignty, no consensus could be achieved as on the precise threshold for a loss of functionality (the necessity of reinstallation of operating system or other software was proposed but not universally accepted);[37] Below this threshold, there was no agreement among the Experts whether operations that do not cause physical consequences or a loss of functionality qualify as a violation of sovereignty.[38]
  4. Interference with data or services that are necessary for the exercise of "inherently governmental functions";[39] although the Experts could not conclusively define the term "inherently governmental functions", they agreed that, for example, the conduct of elections would so qualify.[40]
  5. Usurpation of "inherently governmental functions", such as exercise of law enforcement functions in another State’s territory without justification.[41]

Attributing the relevant cyber operation to a State different from the target State is a necessary prerequisite for qualifying the cyber operation as a violation of the target State's sovereignty.

Whether non-State actors can violate territorial sovereignty on their own is a matter of disagreement.[42]

[L7] In the present scenario, State B’s ransomware campaign was not conducted from State A’s territory (option 1) nor did it result in physical damage or injury (option 2), despite having caused significant economic losses. However, the cyber operation did cause a loss of functionality of many computer systems, including in State A, which is relevant for option 3. Additionally, it is possible the cyber operation interfered with State A’s inherently governmental functions (option 4), although the information about State A’s public information systems is not detailed enough to conclude what their function was. In sum, there is some evidence, albeit not conclusive on the facts provided, which suggests that State B may have violated its obligation not to violate the sovereignty of State A.

2.4.2 Prohibited intervention by State B[edit | edit source]

Prohibition of intervention
The obligation of non-intervention, a norm of customary international law prohibits States from intervening coercively in the internal or external affairs of other States. Prohibited intervention was authoritatively defined by the International Court of Justice in the judgment on the merits in the 1986 case Nicaragua v United States:

A prohibited intervention must … be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of a political, economic, social and cultural system, and the formulation of foreign policy. Intervention is wrongful when it uses methods of coercion in regard to such choices, which must remain free ones.[43]

In order for an act, including a cyber operation, to qualify as a prohibited intervention, it must fulfil the following conditions:
  1. The act must bear on those matters in which States may decide freely. The spectrum of such issues is particularly broad and it includes both internal affairs (such as “choice of a political, economic, social, and cultural system”[44]), and external affairs (“formulation of foreign policy”[44])—the so-called domaine réservé of States.[45] The content of the domaine réservé is determined by the scope and nature of the state's international legal obligations.
  2. The act must be coercive in nature. There is no generally accepted definition of “coercion” in international law. However, in the cyber context, the Tallinn Manual 2.0 suggests that “the coercive effort must be designed to influence outcomes in, or conduct with respect to, a matter reserved to a target State”.[46] On that basis, the “key is that the coercive act must have the potential for compelling the target State to engage in an action that it would otherwise not take (or refrain from taking an action it would otherwise take)”.[47] This approach distinguishes coercing or compelling the target State from merely influencing it by persuasion or propaganda and from causing nuisance without any particular goal.[48] The element of coercion also entails the requirement of intent.[49]
  3. Finally, there has to be a causal nexus between the coercive act and the effect on the internal or external affairs of the target State.[50]

[L8] In the present scenario, there is nothing to suggest that State B's ransomware campaign was targeting State A’s sovereign right to decide its own internal affairs freely. The fact that the ransomware campaign is designed to coerce State A to transfer funds to State B in and of itself is not sufficient to meet the requirements for an intervention. The element of coercion must be related to the form of interference that State B engages with a view to forcing a change to State A's policy or decision regarding its own internal affairs.

[L9] Compared to the economic losses caused by the incidents, the collected ransom was likely negligible. States in similar situations are not very likely to pay the ransom, which undermines the argument that the acts were coercive, rather than disruptive.[51]

[L10] In sum, it is difficult to label the operation as prohibited intervention.

3 Checklist[edit | edit source]

  • Due diligence:
    • In what circumstances would a State violate international law if it transferred the hacking tools to a non-State actor or another State on purpose?
    • Are State-developed hacking tools “cyber infrastructure” of that State, even if they are used outside its territory and without its control?
    • How proximate is the causal link between the stealing of the hacking tools and the consequences caused by their use?
    • Did the stealing and sale of the hacking tools result in serious adverse consequences for the victim State?
    • Did State A have actual or constructive knowledge that its territory was bring used for the stealing or sale of the hacking tools contrary to the rights of and resulting in serious adverse consequences for other States?
    • Did the potentially responsible State take all feasible measures to put an end to the malicious cyber activities?
  • Sovereignty:
    • Was the ransomware campaign conducted by a State organ of State B physically present on the territory of State A?
    • Did the ransomware campaign result in physical damage or injury on State A’s territory?
    • Did the ransomware campaign cause a loss of functionality of State A’s computer systems?
    • Did the ransomware campaign interfere with State A’s inherently governmental functions?
  • Prohibition of intervention:
    • Did the ransomware campaign bear on the internal or external affairs of State A?
    • Did the ransomware campaign coerce State A by depriving it of its freedom of choice concerning its internal or external affairs?

4 Appendixes[edit | edit source]

4.1 See also[edit | edit source]

4.2 Notes and references[edit | edit source]

  1. ILC Articles on State Responsibility, Art 2.
  2. Franck Latty, ‘Actions and Omissions’ in James Crawford et al (eds), The Law of International Responsibility (OUP 2010) 361.
  3. ILC Articles on State Responsibility, Art 6.
  4. Corfu Channel Case (UK v Albania) (Merits) [1949] ICJ Rep 4, 22.
  5. UN GA Res 55/63 (4 December 2000), Doc A/RES/55/63, para 1(a).
  6. Cf. UN GGE 2015 report, paras 13(c) and 28(e) (using non-mandatory language to express the due diligence principle in the cyber context: “States should not knowingly allow their territory to be used for internationally wrongful acts using [cyber means]” and “States ... should seek to ensure that their territory is not used by non-State actors to commit such acts”, respectively) (emphases added).
  7. See Luke Chircop, ‘A Due Diligence Standard of Attribution in Cyberspace’ (2018) 67 ICLQ 643.
  8. Tallinn Manual 2.0, commentary to rule 6, para 4.
  9. Tallinn Manual 2.0, commentary to rule 6, para 5.
  10. Cf. Case Concerning Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro) (Judgement) [2007] ICJ Rep 43, para 430; see further James Crawford, State Responsibility: The General Part (CUP 2013) 226–32 (on the distinction between due diligence and obligations of prevention); Rudiger Wolfrum, ‘Obligation of Result Versus Obligation of Conduct: Some Thoughts About the Implementation of International Obligations’ in Mahnoush H Arsanjani et al, Looking to the Future: Essays on International Law in Honor of Michael Reisman (Brill 2010).
  11. Corfu Channel judgment, para 22; Tallinn Manual 2.0, commentary to rule 6, para 2 and 15.
  12. Tallinn Manual 2.0, rule 6.
  13. Tallinn Manual 2.0, commentary to rule 6, para 18-24.
  14. Tallinn Manual 2.0, rule 6.
  15. Tallinn Manual 2.0, commentary to rule 6, para 37-42.
  16. Tallinn Manual 2.0, commentary to rule 6, para 43; commentary to rule 7, para 2 and 18.
  17. Tallinn Manual 2.0, Glossary.
  18. ILC Articles on State Responsibility, Art 4(1); Tallinn Manual 2.0, commentary to rule 15, para 1; see also ICRC Customary IHL Study, vol 1, 530–531 (“The armed forces are considered to be a State organ, like any other entity of the executive, legislative or judicial branch of government.”).
  19. Island of Palmas (Neth. v. U.S.), 2 RIAA 829, 838 (Perm. Ct. Arb. 1928).
  20. UNGA Res 71/237 (30 December 2015) UN Doc A/RES/20/237.
  21. North Atlantic Treaty Organization, 'Wales Summit Declaration' (issued by the Head of State and Government participating in the meeting of the North Atlantic Council in Wales (5 September 2015) para 72.
  22. Organization for Security and Cooperation in Europe, Decision No. 1202, OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies (Permanent Council, 10 March 2016) PC.DEC/1202.
  23. Council of the European Union,"Council Conclusions on the Joint Communication to the European Parliament and the Council: Resilience, Deterrence and Defence: Building strong cybersecurity for the EU" (Council conclusions, 20 November 2017),
  24. Michael N Schmitt, 'Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law' (2018) 19 ChiJIntlL 30,40; Tallinn Manual 2.0, commentary to rule 4, para 2 (‘States shoulder an obligation to respect the sovereignty of other States as a matter of international law’).
  25. See Michael N Schmitt and Liis Vihul, ‘Respect for Sovereignty in Cyberspace’ (2017) 95 Tex L Rev. 1639, 1649 (noting that States ‘voiced no meaningful objection to Rule 4’ and that ‘it appeared to be received knowledge that a primary rule on territorial-sovereignty violations existed and applied to cyber operations.’).
  26. Gary P. Corn and Robert Taylor, ‘Sovereignty in the Age of Cyber’ (2017) 111 AJIL Unbound 207, 208 (arguing that sovereignty is ‘a principle of international law that guides state interactions’).
  27. Jeremy Wright, ‘Cyber and International Law in the 21st Century’ (23 May 2018) (stating that he was ‘not persuaded that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention. The UK Government’s position is therefore that there is no such rule as a matter of current international law’); see also Memorandum from JM O’Connor, General Counsel of the Department of Defense, ‘International Law Framework for Employing Cyber Capabilities in Military Operations’ (19 January 2017) (considering that sovereignty is not ‘a binding legal norm, proscribing cyber actions by one State that result in effects occurring on the infrastructure located in another State, or that are manifest in another State’), as cited by Sean Watts & Theodore Richard, 'Baseline Territorial Sovereignty and Cyberspace' (2018) 22 Lewis & Clark L. Rev. 771, 829.
  28. Cf. James Crawford, Brownlie's Principles of Public International Law (OUP 2012) 448
  29. Tallinn Manual 2.0, rule 2.
  30. Sovereignty over cyber infrastructure derives from the traditional concept of sovereignty, independent of the use of cyberspace. See Wolff Heintschel von Heinegg, 'Territorial Sovereignty and Neutrality in Cyberspace' (2013) 89 Int’l L. Stud. 123 (noting that '[t]erritorial sovereignty [..] implies that, subject to applicable customary or conventional rules of international law, the State alone is entitled to exercise jurisdiction, especially by subjecting objects and persons within its territory to domestic legislation and to enforce these rules.')
  31. UN GA Res 2625 (XXV) (24 October 1970) (Friendly Relations Declaration), preamble (emphasizing “that the purposes of the United Nations can be implemented only if States enjoy sovereign equality and comply fully with the requirements of this principle in their international relations”); Tallinn Manual 2.0, rule 4.
  32. Tallinn Manual 2.0, commentary to rule 4, para 5 and 12.
  33. See, eg, Certain Activities Carried Out by Nicaragua in the Border Area (Costa Rica v Nicaragua) and Construction of a Road in Costa Rica along the San Juan River (Nicaragua v Costa Rica) (Judgment) [2015] ICJ Rep 665, 704–05, paras 97–99 (holding that the presence of Nicaragua’s military personnel in the territory under Costa Rica’s sovereignty amounted to a violation of Costa Rica’s territorial sovereignty); see also Tallinn Manual 2.0, commentary to rule 4, para 6.
  34. Tallinn Manual 2.0, commentary to rule 4, para 7; commentary to rule 32, para 9.
  35. Tallinn Manual 2.0, commentary to rule 4, para 11.
  36. Tallinn Manual 2.0, commentary to rule 4, para 12.
  37. Tallinn Manual 2.0, commentary to rule 4, para 13.
  38. Tallinn Manual 2.0, commentary to rule 4, para 14.
  39. Tallinn Manual 2.0, commentary to rule 4, para 15.
  40. Tallinn Manual 2.0, commentary to rule 4, para 16.
  41. Tallinn Manual 2.0, commentary to rule 4, para 18.
  42. In favour: see, eg, Theodore Christakis, ‘The ICJ Advisory Opinion on Kosovo: Has International Law Something to Say about Secession?’ (2011) 24 LJIL 73, 84; Marcelo Kohen, ‘The Court’s Contribution to Determining the Content of Fundamental Principles of International Law’ in Giorgio Gaja and Jenny Grote Stoutenburg (eds), Enhancing the Rule of Law through the International Court of Justice (Brill 2012) 145. Against: see, eg, Tallinn Manual 2.0, commentary to rule 4, para 3.
  43. Military and Paramilitary Activities in and against Nicaragua (Nicaragua v US) (Merits) [1986] ICJ Rep 14, para. 205.
  44. 44.0 44.1 Military and Paramilitary Activities in and against Nicaragua (Nicaragua v US) (Merits) [1986] ICJ Rep 14, para 205.
  45. See, for example, Katja Ziegler, “Domaine Réservé”, in Rudiger Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008) (updated April 2013) (defining the domaine réservé as those “areas where States are free from international obligations and regulation”).
  46. Tallinn Manual 2.0, commentary to rule 66, para 19.
  47. Tallinn Manual 2.0, commentary to rule 66, para 21.
  48. Tallinn Manual 2.0, commentary to rule 66, para 21.
  49. Tallinn Manual 2.0, commentary to rule 66, paras 19, 27.
  50. Tallinn Manual 2.0, commentary to rule 66, para 24 (The exact nature of the causal nexus was not agreed on).
  51. For analyses of prohibited intervention in similar real-world incidents, see Michael Schmitt and Sean Fahey, ‘WannaCry and the International Law of Cyberspace’, JustSecurity, 22 December 2017; and Michael Schmitt and Jeffrey Biller, ‘The NotPetya Cyber Operation as a Case Study of International Law’, EJIL: Talk!, 11 July 2017.

4.3 Bibliography and further reading[edit | edit source]

4.4 Contributions[edit | edit source]

Previous: Scenario 06: Enabling State Next: Scenario 08: Certificate authority