The NotPetya Cyber Operation as a Case Study of International Law

The recent “NotPetya” cyber-operation illustrates the complexity of applying international law to factually ambiguous cyber scenarios. Manifestations of NotPetya began to surface on 27 June when a major Ukrainian bank reported a sustained operation against its network. The Ukrainian Minister of Infrastructure soon announced ‘an ongoing and massive attack everywhere’.  By the following day, NotPetya’s impact was global, affecting, inter alia, government agencies, shipping companies, power providers, and healthcare providers. However, there are no reports of NotPetya causing deaths or injuries.

Cybersecurity experts have concluded that despite being initially characterized as a ransomware attack similar to WannaCry and Petya, NotPetya was directed at specific systems with a purpose of ‘causing economic losses, sowing chaos, or perhaps testing attack capabilities or showing own power’. Additionally, most agree that Ukraine was the target of the operation, which bled over into other States. The key question, however, is the identity of the attacker. NATO Cooperative Cyber Defence Centre of Excellence experts have opined that ‘NotPetya was probably launched by a state actor or a non-state actor with support or approval from a state.’

Although the facts are less than definitively established, the EJIL: Talk! editors have asked us to analyse the incident on the assumption that it is factually and legally attributable to a State.  We begin with a peacetime international law survey and conclude with an international humanitarian law (IHL) analysis.  Our approach tracks that recently laid out in an article designed to operationalize Tallinn Manual 2.0.

Peacetime Law

Assuming away the existence of an international armed conflict solely for the sake of discussion, the question is whether any State behind NotPetya has committed an international wrongful act, which the ILC’s Articles on State Responsibility (ASR) define as an action or omission attributable to a State that breaches an international law obligation owed another State.  The most likely bases for attribution of NotPetya, set forth in Articles 4 and 8 respectively, are that organs of a State, such as the armed forces or intelligence agencies, or non-State actors under a State’s ‘instruction or direction or control’, conducted the operation.

As we have been asked to assume attribution, the crux of the matter is the requirement that an obligation have been breached.  Three are relevant here: respect for sovereignty, the principle of non-intervention, and the prohibition on the use of force.

Sovereignty: Breaches of the obligation to respect a State’s sovereignty primarily occur in two ways: violations of territorial integrity and interference with inherently governmental functions.  Territorial integrity is violated when remote cyber means are used to cause physical damage to public or private cyber infrastructure (or injury to persons) in another State.  Increasingly, operations significantly affecting the functionality of cyber infrastructure (for instance, as in requiring repair or replacement of hardware or recreation of data essential for the operation of bespoke system) are also characterized, correctly in our opinion, as violating sovereignty. The available facts are limited as to the length and reversibility of the various losses of functionality caused by NotPetya, making a determination on the question premature.

The law is unsettled as to lesser effects, such as permanently denying access to data or causing cyber infrastructure to operate in an unintended manner.  We are of the view that these effects do breach the obligation to respect sovereignty.  Since NotPetya seriously degraded or blocked the capability of cyber infrastructure in a manner exceeding that of temporary denial of service, the operation violated the sovereignty of those States where that infrastructure was located.

Cyber operations also violate sovereignty when they interfere with or usurp another State’s inherently governmental functions, irrespective of whether or where damage or injury results.  Most of the NotPetya effects did not qualify on this basis.  For instance, the impact on the Ukrainian banking system did not because banks are typically private and thus the function is not inherently governmental. However, the effects on government ministries may have qualified depending on whether the services interfered with fall within the exclusive competency of States.

Non-intervention: Breach of the principle of non-intervention requires coercive activities by or attributable to a State with respect to the domaine réservé of another State.  The domaine réservé comprises those activities left to States by international law, the classic examples, cited by the ICJ in its Nicaragua judgment, being the ‘choice of political, economic, social, and cultural system, and the formulation of foreign policy’.  Given its impact on government ministries, NotPetya may have affected the domaine réservé of one or more States; additional information would be useful in this regard.  Although ransomware is a paradigmatic means of cyber coercion, the paucity of evidence as to the motivations underlying NotPetya make it difficult to label the operation coercive. That said, unlawful uses of force, discussed below, are considered to be per se coercive interventions.

Use of Force:  Peacetime uses of force by a State against another State that either have not been authorized or mandated by the UN Security Council or do not qualify as self or collective defence are internationally wrongful acts. Cyber operations causing more than minor injury or physical damage are incontrovertibly uses of force.  There is no evidence that NotPetya caused such consequences.  Operations resulting in permanent or extended loss of cyber functionality also rise, in our view, to the level of a use of force, but, as noted, the available facts on this issue vis-à-vis NotPetya are sketchy.  There is a growing sense that non-destructive cyber operations, such as those causing wide-spread economic destabilization, amount to uses of force.  While NotPetya’s pervasiveness with respect to Ukraine might have reached this level, the lack of clear State practice and opinio juris on the matter precludes definitive conclusions along these lines.

International Humanitarian Law

Applicability: IHL applies during armed conflicts. An international armed conflict (IAC) exists when hostilities between two States occur or when one State partially occupies territory of another, even when there is no resistance to the occupation.  It also occurs when a State is in ‘overall control’ of a non-State group that engages in hostilities against another State.  Of particular resonance in the NotPetya case is the fact that Ukraine and Russia are parties to an IAC in light of both the ongoing hostilities in eastern Ukraine that periodically involve Russian forces and the belligerent occupation of Crimea. Although the recent failure of the UN Group of Governmental Experts dealing with cyber norms was based in part on an unwillingness of some States to expressly acknowledge IHL’s applicability to cyber operations, our view, one shared by the ICRC, is that IHL governs any cyber operations having a nexus to an armed conflict. IHL plainly applies to cyber operations with a nexus to the IAC between Russia and Ukraine.

If a State launched NotPetya, Russia is the most likely suspect.  Indeed, the Ukrainian state security service has suggested Russian involvement in NotPetya. However, solely for the sake of discussion, assume another State was behind the operation.  The existence of an IAC on the basis of NotPetya and therefore IHL’s applicability, would depend on whether the operation constituted ‘hostilities’, a term Tallinn Manual 2.0 defines as ‘the collective application of means and methods of warfare’.  In our view, cyber operations rising to the level of an ‘attack’, as that term is understood in IHL, always qualify as hostilities.  Whether other operations do is unsettled in law.

Cyber operations that result in physical damage, injury, or death obviously constitute an attack. A cyber-operation directed against cyber infrastructure that causes no damage to the system itself is also an attack if it indirectly causes damage or injury, as in the case of manipulating air traffic control signals such that planes crash.  The majority of the Tallinn Manual 2.0 International Group of Experts also concluded that the loss of functionality equates to damage.  While other experts would draw the line still lower, there appears to be widespread consensus that, at least, cyber operations that injure or damage, including through functionality loss, qualify as attacks.  There being no definitive reports that NotPetya caused this level of damage, if a State other than Russia was behind the operation, then no IAC between the offending state and Ukraine was initiated by NotPetya.

Targeting Law

In addition to aiding in the determination of when hostilities have broken out, IHL conduct of hostilities rules are typically expressed in terms of ‘attacks’. Therefore, assuming Russia initiated NotPetya, most IHL rules governing targeting did not apply.  However, it must be remembered that a cyber operation that fails to cause the requisite effects is nevertheless an attack if it foreseeably would have done so, but was not yet activated (as in the case of time-delayed malware), was successfully intercepted, or fortuitously did not cause the foreseeable qualifying consequences. In the NotPetya operation, for instance, targets included the power grid, the Kiev airport, Ukrainian healthcare networks, and monitoring systems at Chernobyl.  If it was foreseeable that the operation risked injury or damage (a case-specific determination), NotPetya qualified as an attack to which the rules surveyed below apply.  Although the facts are too limited to make a definitive assesment, for the sake of illustrative analysis we will proceed as if the operation rose to the level of an attack.

By the principle of distinction, cyber attacks may not target civilians or civilian objects, the latter negatively defined as objects that are not military objectives.  Military objectives are objects ‘which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage’.

Although certain types of cyber infrastructure affected by NotPetya sometimes qualify as dual-use targets based on the fact that they are in part used for military purposes (notably power grids and airfields), there is no evidence to suggest that their targeting in this case offered any military advantage. Other entities that were attacked, like banks, media organizations, and civilian healthcare networks, would only in rare cases qualify as military objectives.  This being so, and assuming for the sake of analysis that the operation had qualified as an attack, NotPetya violated the prohibition on attacking civilian objects and, indeed, amounted to a war crime.

It is also prohibited to conduct cyber attacks in an indiscriminate manner, that is, one that pays no heed to the distinction between lawful targets and protected objects. Even had it not been employed against specific civilian targets, the NotPetya malware was used indiscriminately, as evidenced by the widespread effects on civilian infrastructure and the fact that said damage did not result from attack on a lawful military objective.

It should be noted that even if the NotPetya operation did not qualify as an attack, IHL requires that parties to the conflict exercise ‘constant care’ to ‘spare’ the civilian population in the conduct of their military operations, including cyber operations.  To the extent NotPetya has a nexus to the conflict, it breached this obligation.  Moreover, the effects on Ukrainian healthcare networks (the requirement does not attach to those in neutral countries) implicate the requirement to ‘respect and protect’ medical units of a party to the conflict.  A cyber operation that degrades a healthcare network and thus interferes with the delivery of patient care runs afoul of this protection.

During an IAC, cyber operations affecting neutral States are further subject to the law of neutrality.  When effects of a belligerent cyber operation bleed-over into neutral territory, are foreseeable ,and rise above the de minimis threshold, the operation in question is arguably a violation of the neutral State’s rights.  Given the widespread and significant effects on non-Ukrainian cyber infrastructure, it the NotPetya operation likely violated the law of neutrality.

Finally, weapons employed during an armed conflict must be lawful per se, irrespective of how they are used.  Tallinn Manual 2.0 defines cyber weapons as ‘cyber means of warfare that are used, designed, or intended to be used to cause injury to, or death of, persons or damage to, or destruction of, objects, that is, that result in the consequences required for qualification of a cyber operation as an attack’.  Cyber weapons that cannot be directed at specific military objectives or that are susceptible to striking military objectives and civilian objects without distinction are prohibited as indiscriminate.  In our view, and assuming it is foreseeably and likely risks causing consequences at the attack level, the NotPetya malware appears to cross the line, as evidenced by its effects on cyber infrastructure beyond Ukraine, as well as presumably untargeted infrastructure within Ukraine.