[Annual Update] The Intersection of International Law and Cyber Operations: An Interactive Cyber Law Toolkit

The Cyber Law Toolkit is a dynamic interactive web-based resource for legal professionals who work with matters at the intersection of international law and cyber operations. At its heart, the Toolkit currently consists of 19 hypothetical scenarios. Each scenario contains a description of cyber incidents inspired by real-world examples, accompanied by detailed legal analysis. The aim of the analysis is to examine the applicability of international law to the scenarios and the issues they raise. The Toolkit was formally launched on 28 May 2019 in Tallinn, Estonia. Its first general annual update was published on October 2, 2020.

en flag
nl flag
et flag
fi flag
fr flag
de flag
ru flag
es flag

Content Assessment: [Annual Update] The Intersection of International Law and Cyber Operations: An Interactive Cyber Law Toolkit

Information - 95%
Insight - 95%
Relevance - 95%
Objectivity - 100%
Authority - 100%

97%

Excellent

A short percentage-based assessment of the qualitative benefit of the recently updated Cyber Law Toolkit published by the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCDCOE).

Editor’s Note: Primarily addressed to legal practitioners with a working knowledge of international law, the Cyber Law Toolkit addresses a gap between academia and practice as far as international cyber law is concerned. Although there is a growing body of research in this area of international law, its outputs are often not easily adaptable to the needs of legal practitioners dealing with cyber incidents on a daily basis. The Toolkit attempts to bridge this gap by providing accessible yet precise practical solutions to scenarios based on real-life examples of cyber operations with international law relevance. The latest general annual update of the Toolkit was published on October 2, 2020.

Extract from the NATO Cooperative Cyber Defence Centre of Excellence

The Cyber Law Toolkit

The Cyber Law Toolkit is a dynamic interactive web-based resource for legal professionals who work with matters at the intersection of international law and cyber operations. The Toolkit may be explored and utilized in a number of different ways. At its heart, it currently consists of 19 hypothetical scenarios. Each scenario contains a description of cyber incidents inspired by real-world examples, accompanied by detailed legal analysis. The aim of the analysis is to examine the applicability of international law to the scenarios and the issues they raise.

Current Example Scenarios

  • Election Interference: In the run-up to a major election in State A, State B conducts a series of cyber incidents aimed at influencing the election outcomes. To a varying degree, these actions impact on the electoral campaign, the administration of the elections, as well as (eventually) the election results. Analysis in this scenario considers whether any of the specific actions, individually or taken together, may constitute violations of several rules of international law, specifically the obligation to respect the sovereignty of other States, the prohibition of intervention in the internal affairs of States, and the right to privacy of individuals.
  • Cyber Espionage Against Government Departments: A military unit of State B conducts a cyber espionage operation against State A’s Ministry of Foreign Affairs and its subordinate organizations. The data obtained in this operation is later published on the internet by State B. The analysis considers whether State B’s operation violated sovereignty, the prohibition of intervention, and diplomatic and consular law.
  • Cyber Operations Against Power Grid: Intelligence services of a State compromise the supply chain of an industrial control system in another State, thereby gaining access to a part of its electric power grid. Subsequent operations bring down the grid, leading to prolonged blackouts. The scenario considers whether such incidents may amount to, among others, a prohibited use of force, an intervention in the internal affairs of another State, or a violation of the sovereignty of another State. Specific consideration is given to whether there exists a standalone obligation to refrain from conducting operations against critical infrastructure of other States through cyber means.
  • A State’s Failure to Assist an International Organization: An international organization falls victim to cyber attacks, the impact of which could and should have been averted by the host state. The scenario explores the obligation of due diligence on the part of the host state and whether and under what circumstances the international organization may resort to countermeasures.
  • State Investigates and Reponds to Cyber Operations Against Private Actors in its Territory: This scenario considers a series of malicious cyber operations originating from one State’s territory and targeting private entities on the territory of another. In the course of investigation, and after failing to receive cooperation from the suspected offending State, the victim State opts to penetrate the networks of the suspected offending State without consent. The victim State thereafter discovers that the suspected offending State’s military personnel was involved in some of the malicious cyber operations. This scenario analyses the rules of State responsibility, including attribution and the degrees of responsibility of the State of origin, the international obligations that may have been breached, and the ability of the victim State to justify its response under the law of countermeasures.
  • Cyber Countermeasures Against and Enabling State: A country believed to possess highly developed cyber capabilities repeatedly fails to assist other States in countering cyber attacks emanating from its territory. After yet another malicious cyber operation from the former State’s territory results in numerous casualties abroad, the said State comes under a large-scale DDoS attack. The scenario considers the international obligation of due diligence in the cyber context and the ability of States to take countermeasures in response to violations of that obligation.
  • Leak of State-Developed Hacking Tools: This scenario concerns the leak of State-developed hacking tools, the failure of a State to inform software companies of vulnerabilities in their products, and the repurposing of the hacking tools for criminal purposes. The legal analysis of this scenario examines the obligation of due diligence, the obligation to respect sovereignty, and the prohibition of intervention.
  • Certificate Authority Hack: The scenario analyses a cyber operation against a certificate authority that provides services to private and public entities, with indications that the operation was commissioned or exploited by a State. What are the relevant human rights obligations in cyberspace? What other international obligations may have been breached?
  • Economic Cyber Espionage: Private entities become targets of economic cyber espionage by or on behalf of a State. Under what circumstances can cyber espionage be attributed to the State and the latter be held responsible under international law? What measures, if any, can the victim State lawfully take in response?
  • Cyber Weapons Review: State A develops new malware capable of physical destruction of enemy military equipment. However, if released, it is also expected to result in the temporary impairment of the use of civilian cyber infrastructure through which it may spread in order to reach its target. This scenario considers State obligations to conduct a weapons review with respect to cyber capabilities of this kind potentially already in peacetime, well before they may actually be deployed in time of armed conflict. In particular, it examines whether such malware constitutes a weapon that is inherently indiscriminate and therefore prohibited by International Humanitarian Law.
  • Sale of Surveillance Tools in Defiance of International Sanctions: In spite of an international embargo, a State procures and uses exploits developed by a private entity in order to pursue its political objectives. Analysis in this scenario considers whether the use of the exploits violates the human rights obligations of the acting State or the sovereignty of other States. It also looks at which States are responsible for breaking the embargo and whether the Convention on Cybercrime has any bearing on the matter.
  • Cyber Operations Against Computer Data: In the context of an armed conflict, one belligerent conducts a series of cyber operations against the datasets associated with the other belligerent. These include data used for military purposes, essential civilian datasets, and data serving the enemy’s propaganda. The analysis in this scenario considers the lawfulness of cyber operations designed to corrupt or delete various types of datasets under the law of armed conflict. It particularly focusses on the question of whether data qualifies as an “object” for the purposes of the law of armed conflict and whether, as such, it comes within the definition of a military objective.
  • Cyber Operations as a Trigger of the Law of Armed Conflict: Two States and one non-State actor get involved in an armed confrontation featuring a combination of cyber and kinetic operations. The outside State provides various forms of financial and military support to the non-State group in its struggle against the territorial State. The analysis in this scenario considers whether any of the relevant incidents trigger the application of the law of armed conflict and it considers whether the resulting situation would qualify as either an international or a non-international armed conflict.
  • Ransomware Campaign: Municipal governments and health care providers in one State fall victim to a ransomware campaign launched by a non-State group in a second State. The ransomware campaign disables municipal and health care services in the first State. The scenario explores how the ransomware campaign may be classified under international law. It first considers whether the campaign is a breach of an international obligation attributable to a State. It then discusses the possible legal responses available to the victim State.
  • Cyber Deception During an Armed Conflict: Two States are involved in an armed conflict. In order to facilitate the launch of a major military offensive, one of the States engages in several cyber deception operations against the other State. The analysis in this scenario considers whether the operations comply with the relevant rules of international humanitarian law, including the prohibition of perfidy and the prohibition on improper use of internationally recognized emblems, signs, and signals.
  • Cyber Attacks Against Ships on the High Seas: This scenario considers a series of cyber operations against merchant vessels and warships on the high seas from the perspective of public international law. It analyses in particular issues related to jurisdiction and freedom of navigation on the high seas, as well as whether the cyber operations amounted to a prohibited use of force.
  • Collective Responses to Cyber Operations: A State falls victim to a wide range of cyber operations and asks its allies for help. Specifically, the State wants its allies to collectively and publicly attribute the cyber operations to the perpetrator State, to implement travel bans and asset freezes against the individual perpetrators and to undertake collective countermeasures against the responsible State to induce it to cease the cyber operations. The scenario explores the legality of these collective responses to cyber operations from the perspective of international law.
  • Legal Status of Cyber Operators During Armed Conflict: During a conventional armed conflict, a State deploys three groups of persons for its cyber operations against an enemy State. A fourth, civilian group, joins the fight and launches cyber operations against the same enemy. The scenario analyses the lawfulness of the lethal targeting of these four different types of cyber operators. It particularly concentrates on the status and functions of the relevant personnel.
  • Hate Speech: State A uses a social media platform headquartered in State B to incite racial and religious hatred against an ethnic and religious minority in its own territory. The resulting violence escalates into a non-international armed conflict involving cyber operations between State A and members of the ethnic and religious minority who organise themselves into an armed opposition group. The scenario analyses whether the incidents amounted to violations of international law, including international human rights law, international humanitarian law and international criminal law.

Additionally, the Toolkit shares more than twenty real-world incidents that have inspired the analysis (and scenarios) presented in the project. These examples include:

About the Cyber Law Toolkit and Project

The Toolkit was formally launched on 28 May 2019 in Tallinn, Estonia, and the project is run by a consortium of five partner institutions: Czech National Cyber and Information Security Agency (NCISA), International Committee of the Red Cross (ICRC), NATO Cooperative Cyber Defence Centre of Excellence (NATO CCDCOE), University of Exeter, and Wuhan University. The project team consists of Dr. Kubo Mačák (Exeter), General Editor, Mr. Tomáš Minárik (NCISA), Managing Editor, and Ms. Taťána Jančárková (NATO CCDCOE), Scenario Editor. The individual scenarios and the Toolkit have been reviewed by a team of more than 30 external experts and peer reviewers. The Toolkit is an interactive resource that is continuously developed and updated, with its first general annual update published on October 2, 2020.

Learn more about the toolkit and project at Cyber Law Toolkit

Additional Reading

Source: ComplexDiscovery

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

ComplexDiscovery is an online publication that highlights data and legal discovery insight and intelligence ranging from original research to aggregated news for use by business, information technology, and legal professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding data and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of data and legal discovery organizations. Registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world, ComplexDiscovery OÜ operates virtually worldwide to deliver marketing consulting and services.

A (Brand) New Approach? Considering the Framework and Structure of eDiscovery Offerings

Today’s eDiscovery providers may benefit from the lessons learned in the creation of the Sgt. Pepper’s Lonely Hearts Club Band album by creating a concept for branding and packaging their offerings within that brand in a connected, theme-based way that represents the offerings’ promise and capability in a way that is easy to understand and remember.



Check Out the New Approach Now!

Interested in Contributing?

ComplexDiscovery combines original industry research with curated expert articles to create an informational resource that helps legal, business, and information technology professionals better understand the business and practice of data discovery and legal discovery.

All contributions are invested to support the development and distribution of ComplexDiscovery content. Contributors can make as many article contributions as they like, but will not be asked to register and pay until their contribution reaches $5.

The Price of Success? The eDiscovery Pricing Survey (Winter 2021)

Based on the complexity of data and legal discovery, it is...

Deep State? Thirteen Research Reports on the State of eDiscovery Business in 2020

As part of its coverage of the business of eDiscovery, ComplexDiscovery...

X-Road® In Alignment with Digital Public Goods Standard

X-Road® implements a set of standard features to support and facilitate...

Five Great Reads on eDiscovery for November 2020

From market sizing and cyber law to industry investments and customer...

A Running List: Top 100+ eDiscovery Providers

Based on a compilation of research from analyst firms and industry...

The eDisclosure Systems Buyers Guide – 2020 Edition (Andrew Haslam)

Authored by industry expert Andrew Haslam, the eDisclosure Buyers Guide continues...

The Race to the Starting Line? Recent Secure Remote Review Announcements

Not all secure remote review offerings are equal as the apparent...

Enabling Remote eDiscovery? A Snapshot of DaaS

Desktop as a Service (DaaS) providers are becoming important contributors to...

A New Era in eDiscovery? Framing Market Growth Through the Lens of Six Eras

There are many excellent resources for considering chronological and historiographical approaches...

An eDiscovery Market Size Mashup: 2020-2025 Worldwide Software and Services Overview

While the Compound Annual Growth Rate (CAGR) for worldwide eDiscovery software...

Resetting the Baseline? eDiscovery Market Size Adjustments for 2020

An unanticipated pandemeconomic-driven retraction in eDiscovery spending during 2020 has resulted...

Home or Away? New eDiscovery Collection Market Sizing and Pricing Considerations

One of the key home (onsite) or away (remote) decisions that...

The Price of Success? The eDiscovery Pricing Survey (Winter 2021)

Based on the complexity of data and legal discovery, it is...

Deep State? Thirteen Research Reports on the State of eDiscovery Business in 2020

As part of its coverage of the business of eDiscovery, ComplexDiscovery...

A Season of Change? Eighteen Observations on eDiscovery Business Confidence in the Fall of 2020

In the fall of 2020, 77.2% of eDiscovery Business Confidence Survey...

The Continuing Case of Budgetary Constraints in the Business of eDiscovery

In the fall of 2020, 49.4% of respondents viewed budgetary constraints...

Epiq Acquires Hyperion Global Partners

According to Ziad Mantoura, SVP and General Manager for Epiq's legal...

Smarsh Acquires Digital Reasoning

According to the media release, Tim Estes, Founder and CEO of...

Reynen Court Secures Additional Funding

According to the media release, Reynen Court has secured $4.5 million...

DISCO Raises $60 Million

According to the media release, DISCO will use this investment to...

Five Great Reads on eDiscovery for November 2020

From market sizing and cyber law to industry investments and customer...

Five Great Reads on eDiscovery for October 2020

From business confidence and captive ALSPs to digital republics and mass...

Five Great Reads on eDiscovery for September 2020

From cloud forensics and cyber defense to social media and surveys,...

Five Great Reads on eDiscovery for August 2020

From predictive coding and artificial intelligence to antitrust investigations and malware,...