Cyber Operations against Vaccine R & D: Key International Law Prohibitions and Obligations

By August, COVID-19 had killed 700,000 people world-wide, while at least 18 million have been infected by the virus. It now appears that the best hope for battling the pandemic may lie in multiple vaccines. This reality has sparked vaccine nationalism, as states compete for the supplies that hopefully will become available early next year. For instance, the United States has paid for the right to hundreds of millions of vaccine doses from domestic and foreign companies in Operation Warp Speed. Other countries, such as the United Kingdom, are following suit. 

Another almost predictable response has been “vaccine espionage.” In mid-July, a consensus report of the UK’s National Cyber Security Center, the US National Security Agency and Department of Homeland Security, and Canada’s Communications Security Establishment alleged that “[t]hroughout 2020, APT29 has targeted various organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines.” APT29, also known as the Dukes” or “Cozy Bear”, is widely assessed as being a part of the Russian intelligence services. Russia has denied the report.

Russia is not alone in allegedly targeting vaccine R & D. For instance, the US Justice Department has indicted two Chinese hackers that affiliated with the Chinese intelligence services for targeting vaccine research. More broadly, US officials have accused China of “aggressively stealing valuable medical technology for years,” and doing so “far more than any other country.” Like Russia, China has repeatedly denied the allegations. These are not the only states accused of such operations or falling victim to them (see, e.g., here and here).

Beyond espionage, cyber operations have sometimes impeded vaccine research and development (R & D) programs. In March, for instance, Hammersmith Medicines Research, a British firm that was on standby to conduct COVID-19 vaccine trials, was the target of a ransomware attack. And during the 2018 NotPetya ransomware attacks, Merck, a global producer of vaccines, suffered worldwide disruption of its research and manufacturing operations. As a consequence, Hepatitis and Human Papillomavirus vaccines became temporarily unavailable. That hostile cyber operations targeting vaccine R & D can endanger health, even life, is self-evident.

Based on a virtual event hosted by the Oxford Institute for Ethics, Law and Armed Conflict, a Second Oxford Statement on International Law Protections of the Healthcare Sector during Covid-19: Safeguarding Vaccine Research is being drafted (on the first, see here). This article is a wave tops look at some of the key international law prohibitions and obligations discussed during that event. The analysis, however, is strictly limited to the extant law and does not necessarily reflect the thoughts of any participant other than the author (see here for a more detailed analysis with Marko Milanovic).

Prohibitions

The key international law prohibitions with respect to cyber operations targeting vaccine R & D deal with sovereignty, intervention, the use of force, and international human rights. None prohibit such cyber operations per se. Rather, each depends on the consequences that result.

Sovereignty. Remotely conducted cyber operations into the territory of a state that are attributable to another state, either because they were conducted by organs of the state (Article 4, Articles on State Responsibility) like intelligence agencies or on the basis of “instructions” to, or “direction or control” of, a non-state actor by the latter (Article 8, ASR), can violate the sovereignty of the former on two bases. The first is territoriality. Should a cyber operation causes a loss of life, illness, or damage to equipment used to conduct medical R & D (including certain losses of functionality), the sovereignty of the state where those consequences manifest has been violated. For instance, if a ransomware attack delays development of a vaccine, and the consequence is that individuals who would not otherwise have fallen ill or died do so, the operation was unlawful. With respect to damage, it makes no difference whether the targeted medical research facility is public or private; sovereignty protects all property on a state’s territory.

The unsettled question is when do cyber operations not causing injury, death, or damage violate sovereignty. For instance, if an operation disrupts vaccine R & D without causing the requisite damage to equipment, and there is no indication that it affected life or health, has sovereignty been violated?

Very few states have taken a position on where the threshold for violation of sovereignty lies in such cases. The most liberal interpretation to date is that expressed by France in 2018. That nation characterizes the causation of effects on French territory as a violation of its sovereignty. By way of illustration, a cyber operation that causes vaccine research equipment to function differently than intended would qualify, as would one that deleted data, thereby necessitating re-accomplishing an aspect of the research.

Although not a universal position, the prevailing view is that espionage per se, while unlawful under domestic law, does not violate international law. States often condemn espionage, as occurred here, but that condemnation is seldom based on international law grounds. Likewise, cyber operations of a temporary nature, and those that merely cause inconvenience or irritation, are usually considered not to violate sovereignty. There is no indication that states are adopting a more liberal interpretation of sovereignty prohibitions based on the COVID-19 R & D-related cyber operations. Of course, if there is a nexus between vaccine espionage and exacerbation of the health situation in a country, as when concern that data may have been altered during the operation causes delays in development, the requisite harm will have manifested (see here for an interesting thread by Duncan Hollis).

This this being so, the second basis for a sovereignty violation is especially significant – interference by one state in the “inherently governmental functions” of another. Inherently governmental functions are those that only states perform, although they may be outsourced to private entities. While vaccine R & D is not inherently governmental because private entities often engage in it, crisis management of a nationwide pandemic is indisputably inherently governmental. Therefore, if a state’s crisis management and response plan includes vaccine R & D, even by private entities, a hostile cyber operation attributable to another state that interferes with that aspect of its execution violates sovereignty. Importantly, and unlike a violation based on territoriality, this is so irrespective of the operation’s consequences; only interference with the state’s management of the pandemic is required. Absent interference, however, no sovereignty violation occurs; espionage alone is therefore unlikely to qualify in most cases.

Note that the United Kingdom is of the view that there is no rule of sovereignty. Therefore, in its estimation, hostile cyber operations targeting vaccine R & D do not violate the sovereignty of the state into which they are conducted. No other state has adopted this position openly and a growing number of states have rejected it (see, e.g., here, here, and here). Even the United States has been cautious in commenting on the position. But, in fairness, the British approach opens the door to certain responses to operations other states would qualify as violating sovereignty without, at least by the UK view, having to qualify the responses as countermeasure (see Articles 22, Articles on State Responsibility).

Intervention: Unlike sovereignty, the status of intervention attributable to one state into the internal affairs of another as an “internationally wrongful act” is uncontroversial. For instance, the prohibition appears in both the 2013 and the 2015 Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security reports that were subsequently endorsed (here and here) by the General Assembly.

As noted by the International Court of Justice in its Nicaragua judgement, intervention has two elements. The first is that the domaine réservé of the target state be involved. The term denotes an area of activity that international law broadly leaves to the state concerned. A state’s pandemic response and how a state provides medical care clearly fall within its domaine réservé.

What sometimes causes confusion in this regard is the fact that that the target of the cyber operation is not necessarily coextensive with the domaine réservé. Rather, the domaine réservé is the area of activity that the cyber operation is meant to affect. Accordingly, the fact that vaccine R & D has been targeted is neither necessary nor sufficient to find intervention. To illustrate, a cyber operation against a state’s Ministry of Finance designed to block payment of private companies that are developing a vaccine would involve the domaine réservé, whereas a ransomware attack targeting a vaccine research database conducted solely for criminal purposes would not.

Intervention’s second element is that the cyber operation be coercive in nature. As observed by the ICJ, coercion is the “essence” of intervention. The threshold at which an operation becomes coercive, as distinct from merely influential, remains unsettled in law. But, as explained by the Dutch Ministry of Foreign Affairs, coercion “means compelling a state to take a course of action (whether an act or an omission) that it would not otherwise voluntarily pursue. The goal of the intervention must be to effect change in the behaviour of the target state.” Cyber operations that deprive the state of its choice to engage in an activity or refrain from one, either by blocking its ability to carry out the choice or by rendering that choice unreasonable, qualify; if choice is simply influenced, there is no intervention.

Cyber operations directed at vaccine R & D constitute intervention whenever they are meant to interfere with the target state’s decision on how to address a health crisis or that decision’s execution. Espionage could rise to this level. Consider a case in which theft of intellectual property attributable to a state leads a private company in another state to terminate its vaccine R & D efforts because the availability of the information to its competitors makes turning the sought-after profit unlikely. As a result, the state’s execution of its pandemic response plan is disrupted; the operation amounts to intervention.

Use of Force: A third internationally wrongful act for which cyber operations against vaccine R & D could qualify is the prohibition of the use of force found in Article 2(4) of the UN Charter and customary international law. The crux of the matter is the threshold at which a cyber operation attributable to a state amounts to a use of force.

Clearly, a state’s cyber operation that causes, or is likely to cause, loss of life or serious widespread illness, or significant damage (including a serious loss of functionality), is a use of force. For instance, should cyber operations targeting vaccine R & D activities cause a delay in the provision of the vaccine to the population, and in turn result in avoidable death or illness on a significant scale, the state to which the operation is attributable will have unlawfully used force. The mere fact that there may be a temporal gap between the operation and manifestation of that harm does not preclude that characterization.

Whether, and if so when, cyber operations not causing such effects amount to a use of force remains an open question in international law. The prevailing view appears to be that this depends on the “scale and effects” of the operation in question (see, e.g., here and here). However, it is unlikely that operations against vaccine R & D, even if causing significant monetary loss, would qualify absent an effect on health or the causation of significant damage or loss of functionality.

International Human Rights Law: International human rights treaties like the International Covenant on Civil and Political Rights (Article 6), International Covenant on Economic, Social and Cultural Rights [(Article 12(1)], and  the European Convention on Human Rights (Article 2), as well as customary law, require states to respect the right to health and life. Accordingly, cyber operations attributable to a state that place either health or life at risk implicate these rights.

In the case of operations attributable to states that target vaccine R & D in other states, the question is whether human rights apply extraterritorially. The trend (see, e.g., here, here and here) is towards finding such an obligation when the enjoyment of a human right can be controlled from abroad. Control includes depriving individuals of their right to life or health.

Thus, by the emerging view, if a cyber operation effectively disrupts vaccine R & D abroad in a manner that affects the health or life of individuals in that country, the state to which it is attributable in law will have violated their human rights. Indeed, it is arguable that the state will have violated the human rights of any individuals, wherever located, who were likely to receive the vaccine but were unable to do so as a result of the cyber operation. It must be emphasized, however, that the question of extraterritoriality remains unsettled among states.

Obligations

In addition to the aforementioned prohibitions, two international law obligations to take affirmative action bear on the issue of cyber operations against vaccine R & D. The first is the rule of due diligence, one acknowledged by the ICJ in its first case, Corfu Channel. By the rule, states are obligated to take feasible measures to put an end to ongoing hostile cyber operations mounted from or through their territory of which they know and that cause serious adverse consequences with respect to a right of another state under international law. There is no obligation to take measures, such as monitoring network activity or imposing cyber hygiene regulations, to prevent such operations

Consider the case of a state cyber agency that operates through cyberinfrastructure in another state in an effort to mask its involvement in cyber operations against a vaccine research facility in a third state. Since the operation is mounted from cyber infrastructure on its territory, the due diligence obligation of the second state is implicated if the second state learns of the operation. However, to find a breach, a right of the third state would have to be affected. For instance, mere cyber espionage against the facility would be unlikely to satisfy this requirement unless it qualified as one of the aforementioned internationally wrongful acts, an unlikely prospect. Even if it did, the resulting effects would have to be very serious. Minor interference with the third state’s pandemic response plan, as in the case of necessitating additional cyber security measures to preclude further incidents, would not suffice to impose a due diligence obligation.

By contrast, if the operation interfered with the development, testing or production of the vaccine, thereby slowing its delivery to the public and placing individuals at risk, it would qualify, for example, as a serious breach of the obligations to respect the sovereignty of other states and refrain from intervening in their internal affairs. The second state would be required to take all feasible measures to put an end to the operation.

Whereas the due diligence rule applies to the state from or through which the cyber operations directed at vaccine R & D emanate, the international human rights law positive obligation to take feasible measures to “protect” [see, e.g., ICCPR, Article 2(1)] requires states where that activity manifests to take action in response to threats to health or life of individuals on their territory (see, e.g., Öneryildiz). As the Human Rights Committee has noted, the obligation to protect the right to life requires a state to take “appropriate measures to address the general conditions in society that may give rise to direct threats to life’, including life-threatening diseases.” The Committee on Economic, Social and Cultural Rights has similarly opined that states breach the positive obligation to protect the right to health if they fail “to take all necessary measures to safeguard persons within their jurisdiction from infringements of the right to health by third parties.” Therefore, any cyber operation directed at vaccine R & D that poses a risk to the health or life of individuals on a state’s territory, even when conducted from abroad, and whether conducted by a state or non-state actor, triggers that state’s obligation to take all feasible steps to terminate it.  

Concluding Thoughts

Under current international law, whether a cyber operation targeting vaccine R & D amounts to an internationally wrongful act depends primarily on the consequences that result. Those affecting health or life surely qualify as such. By contrast, espionage that does not cause the requisite effects does not violate international law, although it obviously raises a host of ethical questions.

This being so, states should consider adoption of a so-called “voluntary non-binding norm of responsible state behavior” affording “special protection” of medical activities, including vaccine and other medical research, from cyber operations, as is the case during armed conflict in international humanitarian law. The ongoing UN GGE and Open-Ended Working Group provide an apt mechanism for doing so. Even if not adopted, merely raising the prospect would force states to take a stand on putting medical activities off-limits in the midst of this horrific pandemic.