The Petya ransomware cyberattack hit computers of Russian and Ukrainian companies on 27 June 2017. Photo by Donat Sorokin/TASS/Getty.
4. Application of the Law to Case Studies
114. This section considers where the boundaries of an internationally wrongful act might lie with reference to practical examples, whether on the basis of a violation of sovereignty, breach of the principle of non-intervention, or both. Whether or not there is an unlawful act will inevitably depend heavily on the facts in question, and this section does not purport to provide concrete answers in each case. Rather, it uses examples to assist in the analysis and to explore the extent to which there may be an overlap between violation of sovereignty and violation of the non-intervention principle in practice.
I. Examples to explore the scope of a state’s ‘inherently sovereign functions’
115. The following examples explore the boundaries of where a state’s ‘inherently sovereign functions’ might lie, in the context of states’ cyber activities in another state. This issue arises in the context of both violation of sovereignty and the non-intervention principle.
Do a state’s inherently sovereign powers extend to the activities of private citizens?
- A state agent hacks into a computer belonging to a private company in another state in order to extract a ransom. The control and authority over the computer are with the private company that owns the computer. The computer and its contents have no relationship with the state’s exercise of its powers save for such purposes as criminal law enforcement. It was noted in chapters 2 and 3 above that a state’s inherently sovereign powers relate to areas over which a state has exclusive control, including state infrastructure, rather than the activities of private citizens. If this is correct, such cyber activity would not violate the independent powers of the state in which the computer is located and neither could the activity be construed as intervention, regardless of whether it is coercive.
- A state agent remotely shuts down the operation of a dominant internet platform provider (such as Facebook) in another state, such that the entire population of the latter state is unable to access the platform for three days. It is an isolated incident without effects on the host state beyond inconvenience to its citizens. On the basis of the above, only if the shutting down of the company in question had a direct effect on the territorial state’s exercise of its inherently sovereign functions would the state-sponsored cyber activities constitute a violation of the territorial state’s sovereignty and (if the activity is coercive) also the non-intervention rule. If, for example, the platform provider operated a portal on which a significant proportion of the population were exclusively dependent to submit welfare claims, that could be regarded as constituting a violation of sovereignty and the non-intervention principle.
116. As noted in Chapter 2, states that adopt a wide approach to the existence of their powers over all aspects of citizens’ behaviour are more likely to invoke violation of sovereignty in relation to incursions of any kind by other states. Such states may take the view that the non-consensual shutting down of an internet company’s activities on its territory constitutes a violation of their sovereignty – or ‘cyber sovereignty’. But if the activity targeted is that of a private citizen or company, it will not fall within a state’s ‘inherently sovereign functions’, as that is established in international law. This is one of the difficulties of analysing these issues through the prism of sovereignty, particularly if violation of sovereignty is conceived as open-ended, without limitative criteria.
Cyber intrusion in relation to a single commercial entity or attacks directed at a financial system as a whole
117. The ICJ stated in Nicaragua that a state’s choice of its economic system is a matter in which each state is permitted to decide freely. But it was also noted above that the activities of individuals and companies within a state – including in those states that control almost all aspects of their economy – do not fall within the remit of a state’s ‘inherently governmental functions’ for the purposes of international law.
118. Thus, if a state-sponsored cyberattack is directed at a single commercial entity such as a private bank, on the analysis in chapters 2 and 3 this would not engage the state’s inherently sovereign functions because it is a private entity rather than a whole sector falling exclusively within the government’s powers. Government statements regarding cyber intrusions on the financial sector (albeit by only a few Western states) support this approach, treating such intrusions as private and as a breach of criminal law rather than international law. For example, in 2014, the Sands Casino in the US suffered a cyberattack, which is suspected to have been carried out by Iran. Notwithstanding the extensive damage done to the operation of the company concerned (including the wiping of hard drives and the permanent erasure of a vast quantity of essential data), the US did not frame the operation as a violation of international law; the FBI investigated it in conjunction with local state police, but no further action was taken. This kind of activity would be a criminal act under the domestic law of almost any country, and would be subject to lawful measures of law enforcement, which might include seizure of criminally gained assets, arrest or a request for extradition. It would not constitute either a violation of sovereignty or an act of prohibited intervention because it lacks the requisite state-to-state relationship.
119. A less clear-cut case is the cyberattack in November 2014 on Sony Pictures. Sony’s US affiliate was hacked and confidential data extracted from its servers, followed by the release of a huge quantity of personal data about the company’s executives and new productions that had yet to be released. More than 70 per cent of Sony’s computers were rendered inoperable by the malware and the company had to invest tens of millions of dollars in IT infrastructure repairs. Evidence suggests that the motive for the attack was to persuade Sony not to release a film (‘The Interview’) about North Korea, to which North Korea objected. The US attributed the cyberattack to North Korea. It may be argued that the incident constitutes an exercise of law enforcement power on the part of North Korea (assuming that criticizing North Korea’s leader, Kim Jong-un, is a criminal offence there) on another state’s territory with far-reaching effects. That would fit the definition of violation of sovereignty used above. The attack would arguably also constitute an act of intervention if the purpose was to coerce the US to force Sony from engaging in criticism of North Korea or its leader in the future. Certainly the US government considered the incident significant enough to respond with sanctions and possibly covert cyberattacks in response. One US official was reported as stating that the intrusion crossed a threshold from ‘website defacement and digital graffiti’ to an attack on computer infrastructure. Secretary of State John Kerry, in discussing the attack, did not refer to a specific aspect of international law, but did say that the hack ‘violated international norms’.
120. There are certain factors that may indicate when a state’s malicious cyber activity is more likely to be treated as falling within the target state’s inherently sovereign functions rather than being merely criminal activity. When a state refers to another state hacking into ‘systems’ or ‘infrastructure’, as opposed to referring to the target as a single private bank or company, this suggests behaviour that goes to the heart of a state’s exclusive and independent state powers rather than simply a criminal attack.
The harm sustained by US financial institutions targeted by the [2011–13 distributed denial of service] operation ran into tens of millions of dollars as a result of severe interruptions to their business activities.
121. Where the cyber intrusion is directed at disrupting the national bank or federal reserve of another state, over which the target state exerts sovereign authority, the target state’s authority will be directly engaged, and thus the principle of sovereignty or non-intervention will be potentially violated. An example of state cyber intrusion that targeted an entire financial sector rather than merely an individual financial institution was the 2011–13 distributed denial of service campaign that Iran conducted against the US financial sector. This involved a sophisticated, globally distributed network of compromised computer systems (a botnet), reaching a cumulative total of 176 days of attacks. The harm sustained by US financial institutions targeted by the operation ran into tens of millions of dollars as a result of severe interruptions to their business activities. The attacks were attributed to Iran by the US, and certain individuals involved were indicted by the US government in 2016 for attacking critical infrastructure. In this case, there was evidence to suggest coercive behaviour that reaches the threshold of an intervention, i.e. the application of pressure to deprive the US of its free will over its economy with a view to compelling an outcome in the target state. As a result, there is a case to be made that the cyber activity could have reached the threshold of intervention. In terms of violation of sovereignty, even if an effects-based approach is adopted (as opposed to the maximally protective position under which any cyber intrusion into another state’s territory can violate sovereignty), the extensive effects on the US financial sector as a whole suggest that it could also be argued to be a violation of the US’s sovereignty.
122. A cyber intrusion directed at a single commercial entity could potentially cause the host state to lose its ability to control its economy as a whole, for example if it were to lead to a run on the banks that requires the government to intervene with corrective measures to balance the economy in response. In this case, too, violation of sovereignty may be implicated, because the practical effect of the unauthorized exercise of authority (by cyber means) by the perpetrating state is to usurp the target state’s sovereign functions (control of the economy), regardless of whether the activity was coercive. Increasingly, states link the maintenance of their economic security with their national security, which may increase the likelihood that state-sponsored cyber intrusions on a state’s financial sector could be perceived by victim states as an intrusion on their sovereign power to maintain public order.
II. Examples exploring the boundaries of coercive behaviour
123. This section looks at examples where the state cyberattack is directed at functions in another state that are generally accepted to fall within the scope of a state’s ‘inherently sovereign functions’. It therefore focuses primarily on whether or not such activity is coercive for the purposes of that principle.
Cyber operations to manipulate another state’s elections
124. The administration of free and fair elections falls within the inherently sovereign functions of a democratic state. State-sponsored election interference by cyber means can broadly be divided into two categories: (i) cyber interference with election infrastructure; and (ii) cyber operations to manipulate voting behaviour. Each is examined below.
Cyber interference with election infrastructure
125. There are a number of ways in which a state could use cyber operations to manipulate another country’s electoral infrastructure: for example, a hacking operation that tampers with the election results; changing the status of voters on the roll so that their vote is listed only as provisional; or deleting voters’ names from the electoral roll. There are many examples of such activity: in 2014 cyberattackers accessed the computer of Ukraine’s Central Election Commission and changed the result of the presidential election to show the winner as a far-right candidate; in 2016, the website of Ghana’s Central Election Commission was hacked and false results announced from the Commission’s Twitter account while votes were still being counted.
126. If the perpetrating state attempts to alter the results in order to put pressure on the target state to compel an outcome (such as the election result, or fall-out from that result) this would appear to be coercive and thus to meet the criteria for breach of the non-intervention principle. Brian Egan, then legal adviser to the US government, highlighted an example of a clear violation of international law as ‘a cyber operation by a State that interferes with another country’s ability to hold an election or that manipulates another country’s election results’. The UK’s then attorney general stated that an example of the practical application of the non-intervention principle would be ‘the use by a hostile state of cyber operations to manipulate the electoral system to alter the results of an election in another state’, and Australia had adopted the same position. Others consider that an operation rendering election-related cyber infrastructure incapable of performing its functions would qualify as a violation of sovereignty.
127. In response to cyberattacks on their election infrastructure, some states have designated their electoral infrastructure as critical national infrastructure. This brings electoral infrastructure within the scope of the consensus report of the 2015 UN GGE, which states that nations should not conduct or support cyber-activity that intentionally damages or impairs the operation of critical infrastructure in providing services to the public.
Cyber operations to manipulate voting behaviour
128. States have peddled propaganda in other states for centuries. The advent of the internet has made this easier, for example through the use of bots operated from outside the territory to circulate posts on social media about a particular electoral candidate without the consent of the target state. In the non-cyber context, if the information circulated as propaganda is factual and neutral, such activity has not usually been considered to be a breach of the non-intervention principle.
129. However, if the information spread is not factually accurate but rather disinformation (i.e. false or manipulated information, which is knowingly shared to cause harm), for example through the covert use of ‘deep fakes’ or the micro-targeting and trolling of voters using bots and fake Twitter accounts, then the likelihood that such activity could interfere with a democratic state’s inherent right to run free and fair elections increases. International human rights law provides one framework for addressing the micro-targeting of individuals with propaganda, including the right to freedom of expression, the right to privacy, the right to freedom of thought and opinion, and the right to a free and fair election, as well as domestic regulation of social media in elections. The right to self-determination, which refers to the right of peoples to determine freely and without external interference their political status and to pursue freely their economic, social and cultural development, is also relevant, and some have noted the link between that right and the principle of non-intervention.
130. Coercive efforts to manipulate voting behaviour could also amount to intervention in another state’s affairs, on the basis that the attempt to manipulate the will of the people also amounts to an attempt to undermine the target state’s sovereign will over its choice of political system, which, as the ICJ in Nicaragua observed, is a sovereign right. The covert element of disinformation contributes to the fact that the target state is unable to hold elections that are ‘free and fair’, because rather than there being a free marketplace of ideas, voters are being specifically targeted with information without necessarily being aware of this, nor that the targeting is based on personal data held by the targeting state. The deceptive nature of the cyber activity distinguishes it from a mere influence operation. By contrast, official statements that seek to steer another government’s population on a matter may be perceived as propaganda but if they are open and factually correct then they would be less likely to violate the principle of non-intervention because the target state would still have the free will to respond.
Coercive efforts to manipulate voting behaviour could also amount to intervention in another state’s affairs, on the basis that the attempt to manipulate the will of the people also amounts to an attempt to undermine the target state’s sovereign will over its own political system.
131. The cyber intrusions into the 2016 US presidential campaign involved a state hacking into the computer system of the Democratic National Committee (DNC) and publishing large quantities of written material about Hillary Clinton on Wikileaks, including almost 20,000 emails and 8,000 attachments written by key staff members of the DNC dated 2015–16. The US Director of National Intelligence published a report finding that Russia’s President Putin ordered the activity in order to ‘undermine faith in the US democratic process, denigrate Secretary Clinton and harm her electability and potential presidency’. If the definition of coercion in this paper is adopted, there is no need for the coercive behaviour to be successful – i.e. for the information actually to have changed people’s minds as to whom they voted for, which is difficult to prove either way. It is the fact of coercive behaviour in relation to another state’s sovereign functions that is required, rather than the ultimate result. Where a state uses covert cyber operations to influence what the target population thinks about certain candidates, it could also be argued that the perpetrating state by implication is seeking to compel an outcome – the inability of the target state to maintain an open democratic space in which to conduct free and fair elections. On this basis, it is possible that such state behaviour may reach the threshold of coercion.
132. If the cyber intrusion does not reach the level of coercion, the issue arises as to whether it could nevertheless violate the affected state’s sovereignty. A pure sovereigntist may argue that it could, on the basis that it is an unauthorized intrusion into another state’s territory by cyber means. A relative sovereigntist would argue that a violation would occur only if there were sufficient scale or severity of effects, but the point at which the line is drawn remains unclear. In the case of the 2016 US presidential election, the highly intrusive nature of the Russian operation, and its extensive reach in terms of numbers of the population, suggests that it could constitute a violation of sovereignty. But the lack of agreement of criteria for violation of sovereignty, including what, if any, effects should be taken into account, makes the assessment difficult.
Cyber intrusion into the fundamental operation of parliament
133. The operation of parliament falls within the sovereign functions of a democratic state. If it can be established that the hostile state is conducting a cyber operation coercively in relation to the operation of another state’s parliament, for example disrupting online voting mechanisms during a key parliamentary vote, then such activity could meet the criteria for breach of the non-intervention principle.
134. In the cyberattacks against Estonia in 2007, the websites of Estonia’s prime minister, president, and parliament were made to crash, resulting in significant disruption to the country’s political system. The attack lasted for three weeks and was of severe intensity, preventing government officials and citizens from updating or accessing information on these websites and maintaining email contact. While the attack has not formally been attributed to another state, it has been suggested that it was caused by Russia in response to Estonia’s moving of the Bronze Soldier. The attack’s severity and sustained nature suggest the application of pressure by another state to deprive Estonia of its free will over the exercise of its sovereign functions. If the cyberattack was designed in order to compel a certain outcome or conduct in Estonia – even if purely to punish or exact retribution – then the activity could meet the threshold of coercive behaviour and thus intervention.
135. If the behaviour did not reach the level of coercion, could it nevertheless have been a violation of Estonia’s sovereignty? A pure sovereigntist would argue that it could, as an unauthorized cyber incursion into the cyber infrastructure on Estonia’s territory. Relative sovereigntists would argue that it would depend on whether the effects of the intrusion reached a certain scale or severity. In this case, the effects on Estonia’s sovereign powers, including the inability to run its political system independently for a material period of time, were significant.
Cyber operations in relation to another state’s critical infrastructure
136. ‘Critical infrastructure’ is a term used by governments to describe assets that are essential for the functioning of a society and economy. In recent years there have been a number of examples of actual or alleged cyberattacks carried out by one state in order to disrupt another state’s critical infrastructure. For example, in December 2015, a cyberattack on Ukraine’s energy grid caused a blackout that affected 225,000 people. Some state-sponsored cyberattacks have disrupted broadcasts from TV, radio or internet platforms that are thought to be serving as government propaganda. In March 2019, the Venezuelan President Maduro accused the US of a cyberattack on the country’s power grid in a plot to force him from power.
137. In each of the cases cited above, the aim of the alleged state cyber activity appears to have been to force an outcome or conduct with respect to a matter reserved to the target state, and thus the activity could potentially be regarded as coercive. If the infrastructure targeted is ‘critical infrastructure’ (i.e. assets that are essential for the functioning of a society and economy, such as public health, transport, energy, telecommunications and financial services) then the cyberattack is likely to concern the target state’s sovereign functions because critical infrastructure is something over which the state has exclusive authority, even if – as is commonly the case – the infrastructure is owned and/or run by the private sector.
138. In its 2015 report, the UN GGE agreed that ‘[a] State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public’. While this does not represent a binding obligation on states, it shows their concern to protect critical infrastructure from cyberattacks.
Targeting of essential medical facilities
139. The provision of essential medical facilities to the population are an aspect of a state’s critical infrastructure and as such fall within a state’s inherently sovereign functions. The UK’s attorney general specifically referred to the targeting of essential medical services by cyber means as an example of a prohibited intervention. But the concept raises a number of questions that have yet to be resolved, including how ‘essential medical facilities’ should be defined. Countries have different ways of handling the provision of medical facilities within their territory; from state-operated systems that are provided free of charge such as the UK’s National Health Service (NHS), to private systems where each individual must pay. Arguably, the provision of essential medical facilities such as emergency treatment for the state’s citizens falls within a state’s sovereign functions regardless of whether the system is public or private.
140. In order for cyber activity against another state’s essential medical facilities to constitute intervention, the activity would need to be coercive. The WannaCry ransomware cyberattack of May 2017 caused certain NHS trusts in the UK to suffer damage, with many GP, hospital and ambulance services affected. The attack was attributed to North Korea by a number of states. As the NHS is part of the UK’s public service, there is a strong case to be made that its activities falls within the scope of the UK’s sovereign functions. However, as noted above, the intention of the perpetrating state in this case appears to have been to extract hard currency from the individual users affected rather than specifically to influence an outcome or conduct in the UK, which was not the original target of the attack. This would not therefore appear to be coercive and thus would not reach the threshold of intervention. Whether the attack could be considered a violation of sovereignty depends on one’s position on sovereignty. A pure sovereigntist might argue that it would, as an unauthorized cyber incursion into the health sector of another state’s territory. A relative sovereigntist would argue that it would depend on the scale and severity of the effects involved.
III. Examples relating to espionage
141. Much state-sponsored cyber activity involves the activities of intelligence services. Indeed, cyber operations have enabled a dramatic increase in such intelligence activity. Cyber capable states regularly gather intelligence by gaining access to the foreign computer networks of multiple other states without consent. The intelligence gathered may then be used in a range of different ways.
Saying that espionage is not prohibited by international law is not the same as saying that it is lawful. That question will depend on the means, method and effects of the intelligence operations, and therefore blanket assertions cannot be made.
142. In terms of the prohibition on intervention, it looks as though states regard the principle to apply to the activities of intelligence agencies as much as to other activities. With regard to other aspects of sovereignty, the issue is perhaps more difficult. As noted in the non-cyber context, the majority position among commentators is that with the exception of certain rules, espionage is largely left unregulated by international law and as such is not prohibited by international law per se. Many commentators argue that this approach also applies in the cyber context. On the other hand, it has been argued that acts of political and economic cyber espionage transgress the rule of territorial sovereignty by intruding into a domain protected by state sovereignty. This approach would render unlawful even the lowest level of cyber activities by intelligence agencies, including information gathering.
143. There are a number of difficulties in assessing the relationship between states’ cyber intelligence activities and sovereignty. State intelligence activity has unique features: it is conducted in secret, so it is hard to discern either state practice or state reactions to that practice. Nevertheless, in recent years there has been increasing state practice on the existence and scope of intelligence activity (including cyber activity) in the form of domestic legislation regulating the collection of intelligence, parliamentary comment and oversight reports. Further, the activities of some intelligence organizations have been extensively litigated in recent years before domestic courts and European courts without any suggestion by the courts that espionage itself is a violation of sovereignty or any other rule of international law.
144. But saying that espionage is not prohibited by international law is not the same as saying that it is lawful. That question will depend on the means, method and effects of the intelligence operations, and therefore blanket assertions cannot be made. A few examples are illustrative.
- Cyber espionage can involve states taking active defence measures, including sitting on networks in many different states to extract information from the internet or to prevent threats to their territory. States are often aware that other states are conducting these activities but do not formally object (whether based on perceptions of legality or otherwise). The assessment of the legality of such activity under international law may depend on the ultimate purpose for which the information gathered is subsequently to be used, and whether that ultimate activity will usurp the authority of the state in the exercise of its independent state powers in some way.
- Cyber espionage may also involve a state going into private servers located in a failed state to take out malware spread by a terrorist group. Such activity may take place without the consent of the host state, which may not be aware that the activity is taking place. The activity is not coercive towards the state on whose territory the servers are located, so this kind of activity would not meet the threshold of intervention. The extent to which the activity violates the sovereignty of the host state by usurping the authority of that state is debateable: the servers and computers affected are private property, and the perpetrating state is not exercising law enforcement powers, but under a pure sovereigntist approach this would constitute a violation of international law.
- States may also use cyber means to engage in economic espionage (for example, theft of IP), which is capable of causing significant economic damage to the target state and the companies within it. The extent to which this could violate sovereignty will again depend on whether sovereignty is perceived as open-ended or delineated by some kind of threshold, for example the quantitative effects of the economic loss caused to the target state’s economy. Whether or not it could constitute intervention will depend on whether such activity amounts to coercive behaviour. This is likely to be harder to establish, as it would require such activity to be carried out in order to deprive the target state of its free will in relation to one of its sovereign functions, for example the economy.
145. Increasing concern over economic espionage and the significant effects that it can cause in the target state has led to the conclusion of certain agreements between states on this issue, for example an agreement between the US and China in 2015, in which both states agreed to refrain from conducting or knowingly supporting cyber-enabled theft of IP; and a 2015 communiqué issued by world leaders attending the G20 Antalya Summit, which stated that ‘no country should conduct or support ICT-enabled theft of intellectual property…’ and that ‘all states should abide by norms of responsible state behaviour’ in using ICT. This practice may in time crystallize into a norm constraining the exercise of state-sponsored economic espionage. In the meantime, the default position would appear to be that while there is no overall prohibition on states’ intelligence activities under customary international law, those activities need to be assessed on a case by case basis as to whether they breach a particular rule of international law.