Home Posts tagged "cyber"

Mistake of Fact in Putative Self-Defence Against Cyber Attacks

Published on January 17, 2020        Author: 

I am glad that Marko has taken on the task of tackling the issue of mistakes of fact in international law, as I completely agree that it is a very important yet so far largely overlooked aspect, surprisingly so. While I’d mostly approve of Marko’s deliberations and conclusions, I wanted to add a brief point that I came across while doing research for my soon-to-be-published book on remedies in cyberspace that might be suitable to further inform this important debate. Given the technical features of cyber infrastructures, the issue of mistakes of fact in relation to measures taken in self-defence is even more critical in this context.

This is because a state might of course not only factually err in regard to the existence of an armed attack pursuant to Article 51 UN Charter, but just as well in relation to its author. This issue has come up more recently in connection with armed attacks in or through cyberspace and the widely discussed attribution problem. An imminent crisis caused by a cybersecurity incident as the result of a malicious cyber operation that indeed leaves “no choice of means, and no moment of deliberation” is easily imaginable. At the same time, given the persistent difficulty to identify an operation’s source and agent with reasonable certainty reasonably fast, it is equally easily imaginable that mistakes will happen – leading to a forceful response in putative self-defence against the wrong target (for instance a critical server in an uninvolved third country that had been employed in order to carry out the malicious operation). What should be the legal consequences of such a mistake of fact?

Read the rest of this entry…


France Speaks Out on IHL and Cyber Operations: Part II

Published on October 1, 2019        Author: 

In the first part of this post I discussed the position paper’s articulation of the views of France on the applicability of IHL to cyber operations, on the classification of armed conflicts, and on their geographical scope in the cyber context. In this part I will examine the position paper’s views on the concept of “attack,” on the conduct of hostilities and on data as an object.

The Meaning of the Term “Attack”

The issue of the meaning of the term “attack” has occupied center stage from the very inception of legal thinking about cyber operations during an armed conflict. It is a critical one because most key IHL “conduct of hostilities” rules are framed in terms of attacks – it is prohibited to direct “attacks” against civilians or civilian objects (distinction), an “attack” expected to cause collateral damage that is excessive to the anticipated military advantage is prohibited (proportionality), parties must take precautions in “attack” to minimize harm to civilians (precautions in attack), etc.  These prohibitions, limitations, and requirements beg the question of when a cyber operation qualifies as an “attack” such that the rules govern it.

Read the rest of this entry…


France Speaks Out on IHL and Cyber Operations: Part I

Published on September 30, 2019        Author: 

The French Ministry of the Armies (formerly the Ministry of Defense) has recently released Droit International Appliqué aux Opérations dans le Cyberspace (International Law Applicable to Operations in Cyberspace), the most comprehensive statement on the applicability of international law (IHL) to cyber operations by any State to date.  The position paper dealt definitively with many of the current unsettled issues at the forefront of governmental and scholarly discussions.

This two-part post builds on an earlier post at Just Security in which I examined the position paper’s treatment of the relationship between peacetime international law, including that set forth in the UN Charter regarding uses of force, and hostile cyber operations. The focus here, by contrast, is on France’s views as to how IHL applies in the cyber context. Key topics addressed in the paper include the applicability of IHL in cyberspace; classification and geography of cyber conflict; the meaning of the term “attack” in the cyber context; the legal nature of data during an armed conflict; and other significant IHL prohibitions, limitations, and requirements on cyber operations.

Read the rest of this entry…

Comments Off on France Speaks Out on IHL and Cyber Operations: Part I

Did the US Stay “Well Below the Threshold of War” With its June Cyberattack on Iran?

Published on September 2, 2019        Author: 

On 20 June 2019, the United States conducted a major cyberattack against Iran in response to Iran’s (alleged) attacks on oil tankers in the Hormuz Strait and the downing of an American surveillance drone. The attack was widely reported at the time, but on 28 August the New York Times published important new details, which included information about the legal-strategic thinking of the Americans. Specifically, it was reported that the US cybercampaign against Iran was “calibrated to stay well below the threshold of war”. Translated into legalese, this seems to imply that the Americans aim to keep their activities at a level that undoubtedly fall short of legal thresholds like article 2(4) of the UN Charter, which defines use of force, and common article 2 of the Geneva Conventions, which de facto triggers the laws of war. In this post, I discuss whether the Americans succeeded in keeping their distance from such thresholds.

The attack

In the original reporting on the attack by Yahoo! News, it was noted that the operation targeted “an Iranian spy group” with “ties to the Iranian Revolutionary Guard Corps”, which supported attacks on commercial ships in the Hormuz Strait. The precise object of attack was not specified, but it was mentioned that the group had “over the past several years digitally tracked and targeted military and civilian ships passing through the economically important Strait of Hormuz”.

The New York Times’ report explains that the cyberattack successfully “wiped out a critical database used by Iran’s paramilitary arm to plot attacks against oil tankers and degraded Tehran’s ability to covertly target shipping traffic in the Persian Gulf, at least temporarily”. The Iranians, it is noted, are “still trying to recover information destroyed in the June 20 attack and restart some of the computer systems — including military communications networks — taken offline”. Accordingly, the attack seems to have crippled the targeted system in a way that has taken it offline and, presumably, rendered it useless for months. The effects of the attack were “designed to be temporary”, officials said, but had “lasted longer than expected”. In terms of the specific target of the attack, it was reported that the target was the Iranian Revolutionary Guards’ intelligence group. Read the rest of this entry…


Un-caging the Bear? A Case Study in Cyber Opinio Juris and Unintended Consequences

Published on October 24, 2018        Author:  and

On October 4, the United Kingdom’s National Cyber Security Centre (NCSC), a division of the GCHQ, issued a news release attributing multiple cyber campaigns to Russia’s military intelligence service, the GRU. They were, according to the NCSC, designed to ‘undermine [the] international sporting institution WADA [World Anti-Doping Agency], disrupt transport systems in Ukraine, destabilise democracies and target businesses’.

The release was notable in two regards. As the campaigns were conducted by the GRU, an organ of the Russian government, Russia is legally responsible under the law of State responsibility for any violations of international law that may have occurred. Second, the release stated that the operations were ‘conducted in flagrant violation of international law’. Indeed, Foreign Secretary Jeremy Hunt, whom the release quoted, observed, ‘[t]his pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences’. 

Unfortunately, neither the NCSC nor the Foreign Secretary delineated those rules of international law that Russia allegedly violated or otherwise undermined. In this post, we attempt to tease loose the legal significance of the operations by measuring them against the recently enunciated UK positions on international law in the cyber context. Attorney General Jeremy Wright set forth these positions in a 23 May Chatham House speech. We first highlight the UK approach to the key international law prohibitions that are relevant vis-à-vis the Russian operations. Second, we assess the operations themselves against the UK position on these legal rules. Finally, we conclude by making the point that legal policy decisions with respect to cyberspace may prove a double-edged sword. Compelling reasons may exist for adopting particular positions regarding international law norms in cyberspace, but seldom are those positions cost-free. In particular, we suggest that the United Kingdom’s rejection of a rule requiring respect for the sovereignty of other States eliminates its most defensible basis for arguing that the Russian cyber campaigns undermined international law. Other States should bear this in mind before following suit.

Read the rest of this entry…

Comments Off on Un-caging the Bear? A Case Study in Cyber Opinio Juris and Unintended Consequences

The NotPetya Cyber Operation as a Case Study of International Law

Published on July 11, 2017        Author:  and

The recent “NotPetya” cyber-operation illustrates the complexity of applying international law to factually ambiguous cyber scenarios. Manifestations of NotPetya began to surface on 27 June when a major Ukrainian bank reported a sustained operation against its network. The Ukrainian Minister of Infrastructure soon announced ‘an ongoing and massive attack everywhere’.  By the following day, NotPetya’s impact was global, affecting, inter alia, government agencies, shipping companies, power providers, and healthcare providers. However, there are no reports of NotPetya causing deaths or injuries.

Cybersecurity experts have concluded that despite being initially characterized as a ransomware attack similar to WannaCry and Petya, NotPetya was directed at specific systems with a purpose of ‘causing economic losses, sowing chaos, or perhaps testing attack capabilities or showing own power’. Additionally, most agree that Ukraine was the target of the operation, which bled over into other States. The key question, however, is the identity of the attacker. NATO Cooperative Cyber Defence Centre of Excellence experts have opined that ‘NotPetya was probably launched by a state actor or a non-state actor with support or approval from a state.’

Although the facts are less than definitively established, the EJIL: Talk! editors have asked us to analyse the incident on the assumption that it is factually and legally attributable to a State.  We begin with a peacetime international law survey and conclude with an international humanitarian law (IHL) analysis. Read the rest of this entry…