Countermeasures are one of the few avenues through which states can enforce international law. But new and old questions have (re)emerged about the extent to which states can resort to these measures in cyberspace’s fast-moving, large-scale and politically sensitive environment.
From April to June 2022, Costa Rica was targeted by a wave of ransomware attacks. Ransomware is a type of malware that prevents the victim from accessing their data, files, devices or systems, usually by encryption. A ransom is then demanded to restore access to these. In the case of Costa Rica, the attacks crippled key public agencies and services. They included the Ministry of Finance’s import and export controls, the payroll system of the ministries of labour and social security, and the Costa Rican Social Security Fund, which manages the country’s healthcare services.
As a result of the attacks, tax and customs systems were paralysed, export businesses lost millions of dollars, teachers did not get paid, and health practitioners were unable to access patients’ medical records, causing delays in patient treatment. Costa Rica decided not to pay the $25 million ransom demanded by the perpetrators – two Russian-based cybercriminal groups, one of which also called for the Costa Rican government to be overthrown. Instead, Costa Rica’s president declared a national emergency and sought technical assistance from Microsoft, the US, Israel and Spain to defend itself and recover from the attacks. One of the attackers was shut down in January 2023 following a coordinated effort by Europol and the German, Dutch and US authorities.
Like many ransomware operations, the attack against Costa Rica potentially violated several rules of international law. International law applies in its entirety to cyberspace – including the internet and other information and communications technologies (ICTs) – just as it applies to the use of other technologies. Assuming that the attack can be attributed to a state, the principle prohibiting intervention in another state’s internal or external affairs was likely breached. If the attack was solely orchestrated by non-state groups, certain states with influence over these groups could be responsible for failing to prevent the operation under one or more positive duties of prevention. But in a situation like this, the key question is how to enforce those rules in an effective manner, assuming that they were indeed violated. Specifically, what were Costa Rica’s response options to fend off the attacks and repair their consequences?
There is no global police force to enforce the rules of international law. Aside from the UN Security Council – which has the power to decide on measures to maintain or restore international peace and security, including the use of force – the enforcement of international law is decentralized. It is up to each state to adopt its own measures in response to violations of its rights by other states, consistently with international law. In the case of an armed attack, states may use military force in self-defence individually or collectively. But beyond extreme cases involving the use of force, response options to events like the ransomware campaign against Costa Rica are limited.
Countermeasures are a response option that does not involve the use of force. By taking a countermeasure, a state injured by a violation of international law breaches the same or another obligation it owes to the state that committed the unlawful act. But this breach is justified – or its wrongfulness is ‘precluded’ – because it seeks to address a prior wrong. Traditional examples of countermeasures include the suspension of trade or investment rights owed to the state in breach of international law – the responsible state. Countermeasures can also be taken in cyberspace, whether in the form of a cyber operation and/or in response to one.
Nevertheless, countermeasures are not the only response option available to states in those circumstances. Other routes to accountability include: i) dispute settlement mechanisms, particularly international adjudication; ii) retorsion (which are unfriendly acts that do not involve a breach of international law, an example being the severance of diplomatic relations); iii) the suspension of a treaty as a consequence of a material breach; iv) exceptions specifically permitted in the treaty concerned (such as the Security Exceptions authorized by Article XXI of the General Agreement on Tariffs and Trade – GATT); and v) domestic remedies, such as criminal prosecutions of cyber criminals. Because countermeasures are rarely labelled as such, it is often difficult to distinguish between different measures of self-help. A rare example of explicit reliance on countermeasures is the EU’s Anti-Coercion Instrument, which allows the EU to take countermeasures against third states in response to acts of economic coercion that violate the principle of non-intervention under customary international law.
In the case of Costa Rica, it is unclear what measures were taken against the state and non-state actors potentially involved in the unlawful cyber operations. But if the ransomware campaign or the failure to stop it did amount to a breach of international law attributable to a state, then Costa Rica would have been entitled, under customary international law, to take countermeasures to induce the responsible state(s) to stop and/or repair the wrong(s). These countermeasures could take the form of in-kind cyber operations, for example, by seeking to disable the computers or servers used to launch the ransomware. They could also amount to non-cyber action, such as the freezing of assets belonging to the perpetrators or the responsible state, or the suspension of payments owed to that state to make it stop and/or repair the effects of the ransomware operation. Cyber countermeasures can also be taken in response to non-cyber violations of international law, such as Russia’s full-scale invasion of Ukraine.
Countermeasures are well-grounded in customary international law, which is formed by general state practice accepted by states as law (i.e. opinio juris). State practice is any conduct of the state, including physical and verbal acts, such as executive orders, diplomatic protests and official statements. The requirement of opinio juris means that the practice must be undertaken out of a sense of legal right or obligation. Examples of materials that could demonstrate this requirement include official publications, government legal opinions, diplomatic correspondence and domestic court decisions.
Despite their longstanding legal pedigree, the application of countermeasures in cyberspace has (re)ignited new and old debates, given certain unique features of ICTs. Cyber operations – both offensive and defensive – tend to be more covert than traditional countermeasures. States may want to preserve the confidentiality of sensitive information, the nature and extent of their cyber capabilities, and the surprise effect of their cyber operations. Furthermore, like any online communication, cyber operations cross multiple cables, servers and systems that are often located in different states and primarily owned or managed by private entities. This means that it is often difficult to trace the origin of such operations, and their effects can spill over to multiple systems and actors, all in a matter of seconds.
These operational considerations have prompted questions about the extent to which the conditions for taking countermeasures under customary international law should be adapted to cyberspace’s fast-moving, large-scale and politically sensitive environment. For instance, some legal scholars and practitioners have queried whether states injured by a cyber operation requiring an urgent response need to first call upon the responsible state to stop and/or repair the wrong. In the Costa Rican example, would Costa Rica have had to contact the authorities of the responsible state or make a formal statement asking it to cease and/or repair the ransomware campaign, or to take action to stop non-state groups from carrying out the cyber operation?
States across the globe also have asymmetrical cyber and economic capabilities. This is illustrated by the technical support that other states and a private company provided Costa Rica in its response to the 2022 ransomware attack. While the exact nature of the support provided to Costa Rica is unclear, the question also arises whether states other than the directly injured state are entitled to take a) countermeasures in response to violations of collective or community interests, b) countermeasures in support of the injured state irrespective of the obligation breached, or c) measures to assist this state in taking its own countermeasures.
The purpose of this research paper is to provide some answers to those difficult questions. It will do so by assessing the status of countermeasures in international law, whether these are taken online or offline. While many of the challenges arising in the cyber context are new, cyberspace is still governed by existing international law. Likewise, many of the difficulties surrounding countermeasures in cyberspace go to the heart of longstanding debates about the conditions for taking such measures in any context.
This paper is divided into two main sections. Chapter 2 looks at the substantive and procedural conditions for the taking of countermeasures generally under customary international law as well as at how they apply in the cyber context. Chapter 3 assesses whether and to what extent states other than the directly injured state are entitled to take countermeasures in response to violations of collective or community interests. Chapter 3 also assesses whether non-injured states have the right to take countermeasures in support of the injured state irrespective of the obligation breached, or may aid or assist this state in taking its own countermeasures. The conclusion summarizes the paper’s key findings and makes recommendations for states and other stakeholders.
By unpacking the law on countermeasures, this paper seeks to bring more clarity, legal certainty and predictability on how international law applies in cyberspace and how states should behave responsibly in this and other contexts.