Editor’s Note: Primarily addressed to legal practitioners with a working knowledge of international law, the Cyber Law Toolkit addresses a gap between academia and practice as far as international cyber law is concerned. Although there is a growing body of research in this area of international law, its outputs are often not easily adaptable to the needs of legal practitioners dealing with cyber incidents on a daily basis. The Toolkit attempts to bridge this gap by providing accessible yet precise practical solutions to scenarios based on real-life examples of cyber operations with international law relevance.
Extract from the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCDCOE)
The Cyber Law Toolkit
The Cyber Law Toolkit is a dynamic interactive web-based resource for legal professionals who work with matters at the intersection of international law and cyber operations. The Toolkit may be explored and utilized in a number of different ways. At its heart, it currently consists of 14 hypothetical scenarios. Each scenario contains a description of cyber incidents inspired by real-world examples, accompanied by detailed legal analysis. The aim of the analysis is to examine the applicability of international law to the scenarios and the issues they raise.
Current Example Scenarios
- Election Interference: In the run-up to a major election in State A, State B conducts a series of cyber incidents aimed at influencing the election outcomes. To a varying degree, these actions impact on the electoral campaign, the administration of the elections, as well as (eventually) the election results. Analysis in this scenario considers whether any of the specific actions, individually or taken together, may constitute violations of several rules of international law, specifically the obligation to respect the sovereignty of other States, the prohibition of intervention in the internal affairs of States, and the right to privacy of individuals.
- Cyber Espionage Against Government Departments: A military unit of State B conducts a cyber espionage operation against State A’s Ministry of Foreign Affairs and its subordinate organizations. The data obtained in this operation is later published on the internet by State B. The analysis considers whether State B’s operation violated sovereignty, the prohibition of intervention, and diplomatic and consular law.
- Cyber Operations Against Power Grid: Intelligence services of a State compromise the supply chain of an industrial control system in another State, thereby gaining access to a part of its electric power grid. Subsequent operations bring down the grid, leading to prolonged blackouts. The scenario considers whether such incidents may amount to, among others, a prohibited use of force, an intervention in the internal affairs of another State, or a violation of the sovereignty of another State. Specific consideration is given to whether there exists a standalone obligation to refrain from conducting operations against critical infrastructure of other States through cyber means.
- A State’s Failure to Assist an International Organization: An international organization falls victim to cyber attacks, the impact of which could and should have been averted by the host state. The scenario explores the obligation of due diligence on the part of the host state and whether and under what circumstances the international organization may resort to countermeasures.
- State Investigates and Reponds to Cyber Operations Against Private Actors in its Territory: This scenario considers a series of malicious cyber operations originating from one State’s territory and targeting private entities on the territory of another. In the course of investigation, and after failing to receive cooperation from the suspected offending State, the victim State opts to penetrate the networks of the suspected offending State without consent. The victim State thereafter discovers that the suspected offending State’s military personnel was involved in some of the malicious cyber operations. This scenario analyses the rules of State responsibility, including attribution and the degrees of responsibility of the State of origin, the international obligations that may have been breached, and the ability of the victim State to justify its response under the law of countermeasures.
- Cyber Countermeasures Against and Enabling State: A country believed to possess highly developed cyber capabilities repeatedly fails to assist other States in countering cyber attacks emanating from its territory. After yet another malicious cyber operation from the former State’s territory results in numerous casualties abroad, the said State comes under a large-scale DDoS attack. The scenario considers the international obligation of due diligence in the cyber context and the ability of States to take countermeasures in response to violations of that obligation.
- Leak of State-Developed Hacking Tools: This scenario concerns the leak of State-developed hacking tools, the failure of a State to inform software companies of vulnerabilities in their products, and the repurposing of the hacking tools for criminal purposes. The legal analysis of this scenario examines the obligation of due diligence, the obligation to respect sovereignty, and the prohibition of intervention.
- Certificate Authority Hack: The scenario analyses a cyber operation against a certificate authority that provides services to private and public entities, with indications that the operation was commissioned or exploited by a State. What are the relevant human rights obligations in cyberspace? What other international obligations may have been breached?
- Economic Cyber Espionage: Private entities become targets of economic cyber espionage by or on behalf of a State. Under what circumstances can cyber espionage be attributed to the State and the latter be held responsible under international law? What measures, if any, can the victim State lawfully take in response?
- Cyber Weapons Review: State A develops new malware capable of physical destruction of enemy military equipment. However, if released, it is also expected to result in the temporary impairment of the use of civilian cyber infrastructure through which it may spread in order to reach its target. This scenario considers State obligations to conduct a weapons review with respect to cyber capabilities of this kind potentially already in peacetime, well before they may actually be deployed in time of armed conflict. In particular, it examines whether such malware constitutes a weapon that is inherently indiscriminate and therefore prohibited by International Humanitarian Law.
- Sale of Surveillance Tools in Defiance of International Sanctions: In spite of an international embargo, a State procures and uses exploits developed by a private entity in order to pursue its political objectives. Analysis in this scenario considers whether the use of the exploits violates the human rights obligations of the acting State or the sovereignty of other States. It also looks at which States are responsible for breaking the embargo and whether the Convention on Cybercrime has any bearing on the matter.
- Cyber Operations Against Computer Data: In the context of an armed conflict, one belligerent conducts a series of cyber operations against the datasets associated with the other belligerent. These include data used for military purposes, essential civilian datasets, and data serving the enemy’s propaganda. The analysis in this scenario considers the lawfulness of cyber operations designed to corrupt or delete various types of datasets under the law of armed conflict. It particularly focusses on the question of whether data qualifies as an “object” for the purposes of the law of armed conflict and whether, as such, it comes within the definition of a military objective.
- Cyber Operations as a Trigger of the Law of Armed Conflict: Two States and one non-State actor get involved in an armed confrontation featuring a combination of cyber and kinetic operations. The outside State provides various forms of financial and military support to the non-State group in its struggle against the territorial State. The analysis in this scenario considers whether any of the relevant incidents trigger the application of the law of armed conflict and it considers whether the resulting situation would qualify as either an international or a non-international armed conflict.
- Ransomware Campaign: Municipal governments and health care providers in one State fall victim to a ransomware campaign launched by a non-State group in a second State. The ransomware campaign disables municipal and health care services in the first State. The scenario explores how the ransomware campaign may be classified under international law. It first considers whether the campaign is a breach of an international obligation attributable to a State. It then discusses the possible legal responses available to the victim State.
Additionally, the Toolkit shares more than twenty real-world incidents that have inspired the analysis (and scenarios) presented in the project. These examples include:
- Texas Municipality ransomware attack (2019)
- African Union headquarters hack (2018)
- SamSam ransomware incidents (2018)
- French presidential election leak (2017)
- WannaCry (2017)
- NotPetya (2017)
- Operation Cloudhopper (2017)
- Ethiopian surveillance of journalists abroad (2017)
- Wu Yingzhuo, Dong Hao and Xia Lei indictment (2017)
- DNC email leak (2016)
- The Shadow Brokers publishing the NSA vulnerabilities (2016)
- The Hacking Team Hack (2015)
- Power grid cyberattack in Ukraine (2015)
- Bundestag Hack (2015)
- Office of Personnel Management data breach (2015)
- Ukrainian parliamentary election interference (2014)
- Chinese PLA Unit 61398 indictments (2014)
- Sony Pictures Entertainment attack (2014)
- Steel mill in Germany (2014)
- Shamoon (2012)
- DigiNotar (2011)
- Stuxnet (2010)
- Georgia-Russia conflict (2008)
- Cyber attacks against Estonia (2007)
About the Cyber Law Toolkit and Project
The Toolkit was formally launched on 28 May 2019 in Tallinn, Estonia, and the project is run by a consortium of five partner institutions: Czech National Cyber and Information Security Agency (NCISA), International Committee of the Red Cross (ICRC), NATO Cooperative Cyber Defence Centre of Excellence (NATO CCDCOE), University of Exeter, and Wuhan University. The project team consists of Dr. Kubo Mačák (Exeter), General Editor, Mr. Tomáš Minárik (NCISA), Managing Editor, and Ms. Taťána Jančárková (NATO CCDCOE), Scenario Editor. The individual scenarios and the Toolkit have been reviewed by a team of more than 20 external experts and peer reviewers. The Toolkit is an interactive resource that is continuously developed and updated.
- Chinese Military Personnel Charged with Equifax Hacking
- Estonia and the United States to Build a Joint Cyber Threat Intelligence Platform