magnify
Home Articles posted by Michael Schmitt

The NotPetya Cyber Operation as a Case Study of International Law

Published on July 11, 2017        Author:  and

The recent “NotPetya” cyber-operation illustrates the complexity of applying international law to factually ambiguous cyber scenarios. Manifestations of NotPetya began to surface on 27 June when a major Ukrainian bank reported a sustained operation against its network. The Ukrainian Minister of Infrastructure soon announced ‘an ongoing and massive attack everywhere’.  By the following day, NotPetya’s impact was global, affecting, inter alia, government agencies, shipping companies, power providers, and healthcare providers. However, there are no reports of NotPetya causing deaths or injuries.

Cybersecurity experts have concluded that despite being initially characterized as a ransomware attack similar to WannaCry and Petya, NotPetya was directed at specific systems with a purpose of ‘causing economic losses, sowing chaos, or perhaps testing attack capabilities or showing own power’. Additionally, most agree that Ukraine was the target of the operation, which bled over into other States. The key question, however, is the identity of the attacker. NATO Cooperative Cyber Defence Centre of Excellence experts have opined that ‘NotPetya was probably launched by a state actor or a non-state actor with support or approval from a state.’

Although the facts are less than definitively established, the EJIL: Talk! editors have asked us to analyse the incident on the assumption that it is factually and legally attributable to a State.  We begin with a peacetime international law survey and conclude with an international humanitarian law (IHL) analysis. Read the rest of this entry…

 

Cyber Responses “By The Numbers” in International Law

Published on August 4, 2015        Author: 

According to open source reports, the Obama administration is considering how to retaliate against China for hacks into the US government’s Office of Personnel (OPM). Although it has hesitated to openly pin the rose on China, the reports raise questions as to how it might respond consistent with international law.

The issue of responses to harmful cyber operations has generated a fair degree of rather confused dialogue among politicians, pundits and the public. In the aftermath of, inter alia, the Sony hack and the OPM incident, it might be useful to take a by-the-numbers look at the international law governing responses to harmful cyber operations. The International Group of Experts that prepared the 2013 Tallinn Manual on the International Law Applicable to Cyber Warfare under the auspices of the NATO Cooperative Cyber Defence Centre of Excellence dealt with the topic briefly. A follow-on project, “Tallinn 2.0,” is presently underway to examine these issues in greater depth. As director for both projects, I have found the most useful lesson to be that, despite persistent claims to the contrary by international law and policy alarmists, the extant international law provides a linear structure, and robust means, for response. In the same way that international law generally balances national interests and international stability in the non-cyber realm, so too does it with respect to cyber. What follows is a summary of my approach to deconstructing the applicable law.

Read the rest of this entry…