Sun. Sep 25th, 2022
    en flag
    nl flag
    et flag
    fi flag
    fr flag
    de flag
    pt flag
    ru flag
    es flag

    Editor’s Note: Primarily addressed to legal practitioners with a working knowledge of international law, the Cyber Law Toolkit addresses a gap between academia and practice as far as international cyber law is concerned. Although there is a growing body of research in this area of international law, its outputs are often not easily adaptable to the needs of legal practitioners dealing with cyber incidents on a daily basis. The Toolkit attempts to bridge this gap by providing accessible yet precise practical solutions to scenarios based on real-life examples of cyber operations with international law relevance.

    Extract from the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCDCOE)

    The Cyber Law Toolkit

    The Cyber Law Toolkit is a dynamic interactive web-based resource for legal professionals who work with matters at the intersection of international law and cyber operations. The Toolkit may be explored and utilized in a number of different ways. At its heart, it currently consists of 14 hypothetical scenarios. Each scenario contains a description of cyber incidents inspired by real-world examples, accompanied by detailed legal analysis. The aim of the analysis is to examine the applicability of international law to the scenarios and the issues they raise.

    Current Example Scenarios

    • Election Interference: In the run-up to a major election in State A, State B conducts a series of cyber incidents aimed at influencing the election outcomes. To a varying degree, these actions impact on the electoral campaign, the administration of the elections, as well as (eventually) the election results. Analysis in this scenario considers whether any of the specific actions, individually or taken together, may constitute violations of several rules of international law, specifically the obligation to respect the sovereignty of other States, the prohibition of intervention in the internal affairs of States, and the right to privacy of individuals.
    • Cyber Espionage Against Government Departments: A military unit of State B conducts a cyber espionage operation against State A’s Ministry of Foreign Affairs and its subordinate organizations. The data obtained in this operation is later published on the internet by State B. The analysis considers whether State B’s operation violated sovereignty, the prohibition of intervention, and diplomatic and consular law.
    • Cyber Operations Against Power Grid: Intelligence services of a State compromise the supply chain of an industrial control system in another State, thereby gaining access to a part of its electric power grid. Subsequent operations bring down the grid, leading to prolonged blackouts. The scenario considers whether such incidents may amount to, among others, a prohibited use of force, an intervention in the internal affairs of another State, or a violation of the sovereignty of another State. Specific consideration is given to whether there exists a standalone obligation to refrain from conducting operations against critical infrastructure of other States through cyber means.
    • A State’s Failure to Assist an International Organization: An international organization falls victim to cyber attacks, the impact of which could and should have been averted by the host state. The scenario explores the obligation of due diligence on the part of the host state and whether and under what circumstances the international organization may resort to countermeasures.
    • State Investigates and Reponds to Cyber Operations Against Private Actors in its Territory: This scenario considers a series of malicious cyber operations originating from one State’s territory and targeting private entities on the territory of another. In the course of investigation, and after failing to receive cooperation from the suspected offending State, the victim State opts to penetrate the networks of the suspected offending State without consent. The victim State thereafter discovers that the suspected offending State’s military personnel was involved in some of the malicious cyber operations. This scenario analyses the rules of State responsibility, including attribution and the degrees of responsibility of the State of origin, the international obligations that may have been breached, and the ability of the victim State to justify its response under the law of countermeasures.
    • Cyber Countermeasures Against and Enabling State: A country believed to possess highly developed cyber capabilities repeatedly fails to assist other States in countering cyber attacks emanating from its territory. After yet another malicious cyber operation from the former State’s territory results in numerous casualties abroad, the said State comes under a large-scale DDoS attack. The scenario considers the international obligation of due diligence in the cyber context and the ability of States to take countermeasures in response to violations of that obligation.
    • Leak of State-Developed Hacking Tools: This scenario concerns the leak of State-developed hacking tools, the failure of a State to inform software companies of vulnerabilities in their products, and the repurposing of the hacking tools for criminal purposes. The legal analysis of this scenario examines the obligation of due diligence, the obligation to respect sovereignty, and the prohibition of intervention.
    • Certificate Authority Hack: The scenario analyses a cyber operation against a certificate authority that provides services to private and public entities, with indications that the operation was commissioned or exploited by a State. What are the relevant human rights obligations in cyberspace? What other international obligations may have been breached?
    • Economic Cyber Espionage: Private entities become targets of economic cyber espionage by or on behalf of a State. Under what circumstances can cyber espionage be attributed to the State and the latter be held responsible under international law? What measures, if any, can the victim State lawfully take in response?
    • Cyber Weapons Review: State A develops new malware capable of physical destruction of enemy military equipment. However, if released, it is also expected to result in the temporary impairment of the use of civilian cyber infrastructure through which it may spread in order to reach its target. This scenario considers State obligations to conduct a weapons review with respect to cyber capabilities of this kind potentially already in peacetime, well before they may actually be deployed in time of armed conflict. In particular, it examines whether such malware constitutes a weapon that is inherently indiscriminate and therefore prohibited by International Humanitarian Law.
    • Sale of Surveillance Tools in Defiance of International Sanctions: In spite of an international embargo, a State procures and uses exploits developed by a private entity in order to pursue its political objectives. Analysis in this scenario considers whether the use of the exploits violates the human rights obligations of the acting State or the sovereignty of other States. It also looks at which States are responsible for breaking the embargo and whether the Convention on Cybercrime has any bearing on the matter.
    • Cyber Operations Against Computer Data: In the context of an armed conflict, one belligerent conducts a series of cyber operations against the datasets associated with the other belligerent. These include data used for military purposes, essential civilian datasets, and data serving the enemy’s propaganda. The analysis in this scenario considers the lawfulness of cyber operations designed to corrupt or delete various types of datasets under the law of armed conflict. It particularly focusses on the question of whether data qualifies as an “object” for the purposes of the law of armed conflict and whether, as such, it comes within the definition of a military objective.
    • Cyber Operations as a Trigger of the Law of Armed Conflict: Two States and one non-State actor get involved in an armed confrontation featuring a combination of cyber and kinetic operations. The outside State provides various forms of financial and military support to the non-State group in its struggle against the territorial State. The analysis in this scenario considers whether any of the relevant incidents trigger the application of the law of armed conflict and it considers whether the resulting situation would qualify as either an international or a non-international armed conflict.
    • Ransomware Campaign: Municipal governments and health care providers in one State fall victim to a ransomware campaign launched by a non-State group in a second State. The ransomware campaign disables municipal and health care services in the first State. The scenario explores how the ransomware campaign may be classified under international law. It first considers whether the campaign is a breach of an international obligation attributable to a State. It then discusses the possible legal responses available to the victim State.

    Additionally, the Toolkit shares more than twenty real-world incidents that have inspired the analysis (and scenarios) presented in the project. These examples include:

    About the Cyber Law Toolkit and Project

    The Toolkit was formally launched on 28 May 2019 in Tallinn, Estonia, and the project is run by a consortium of five partner institutions: Czech National Cyber and Information Security Agency (NCISA), International Committee of the Red Cross (ICRC), NATO Cooperative Cyber Defence Centre of Excellence (NATO CCDCOE), University of Exeter, and Wuhan University. The project team consists of Dr. Kubo Mačák (Exeter), General Editor, Mr. Tomáš Minárik (NCISA), Managing Editor, and Ms. Taťána Jančárková (NATO CCDCOE), Scenario Editor. The individual scenarios and the Toolkit have been reviewed by a team of more than 20 external experts and peer reviewers. The Toolkit is an interactive resource that is continuously developed and updated.

    Learn more about the toolkit and project at Cyber Law Toolkit

    Additional Reading

    Source: ComplexDiscovery


    Have a Request?

    If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

    ComplexDiscovery is an online publication that highlights cyber, data, and legal discovery insight and intelligence ranging from original research to aggregated news for use by cybersecurity, information governance, and eDiscovery professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding cyber, data, and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

    ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of cyber, data, and legal discovery organizations. Focused primarily on supporting the ComplexDiscovery publication, the company is registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world. The company operates virtually worldwide to deliver marketing consulting and services.

    Leaning Forward? The CISA 2023-2025 Strategic Plan

    The purpose of the CISA Strategic Plan is to communicate the...

    Continuous Risk Improvement? Q3 Cyber Round-Up From Cowbell Cyber

    According to Manu Singh, director of risk engineering at Cowbell, "Every...

    A Comprehensive Cyber Discovery Resource? The DoD Cybersecurity Policy Chart from CSIAC

    The Cyber Security and Information Systems Information Analysis Center (CSIAC) is...

    Rapidly Evolving Cyber Insurance? Q2 Cyber Round-Up From Cowbell Cyber

    According to Isabelle Dumont, SVP of Marketing and Technology Partners at...

    Revealing Response? Nuix Responds to ASX Request for Information

    The following investor news update from Nuix shares a written response...

    Revealing Reports? Nuix Notes Press Speculation

    According to a September 9, 2022 market release from Nuix, the...

    Regards to Broadway? HaystackID® Acquires Business Intelligence Associates

    According to HaystackID CEO Hal Brooks, “BIA is a leader in...

    One Large Software and Cloud Business? OpenText to Acquire Micro Focus

    According to OpenText CEO & CTO Mark J. Barrenechea, “We are...

    On the Move? 2022 eDiscovery Market Kinetics: Five Areas of Interest

    Recently ComplexDiscovery was provided an opportunity to share with the eDiscovery...

    Trusting the Process? 2021 eDiscovery Processing Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    The Year in Review? 2021 eDiscovery Review Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    A 2021 Look at eDiscovery Collection: Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    Five Great Reads on Cyber, Data, and Legal Discovery for September 2022

    From privacy legislation and special masters to acquisitions and investigations, the...

    Five Great Reads on Cyber, Data, and Legal Discovery for August 2022

    From AI and Big Data challenges to intriguing financial and investment...

    Five Great Reads on Cyber, Data, and Legal Discovery for July 2022

    From lurking business undercurrents to captivating deepfake developments, the July 2022...

    Five Great Reads on Cyber, Data, and Legal Discovery for June 2022

    From eDiscovery ecosystem players and pricing to data breach investigations and...

    Cooler Temperatures? Fall 2022 eDiscovery Business Confidence Survey Results

    Since January 2016, 2,874 individual responses to twenty-eight quarterly eDiscovery Business...

    Inflection or Deflection? An Aggregate Overview of Eight Semi-Annual eDiscovery Pricing Surveys

    Initiated in the winter of 2019 and conducted eight times with...

    Changing Currents? Eighteen Observations on eDiscovery Business Confidence in the Summer of 2022

    In the summer of 2022, 54.8% of survey respondents felt that...

    Challenging Variants? Issues Impacting eDiscovery Business Performance: A Summer 2022 Overview

    In the summer of 2022, 28.8% of respondents viewed increasing types...

    Nuclear Options? Ukraine Conflict Assessments in Maps (September 17 – 21, 2022)

    According to a recent update from the Institute for the Study...

    Mass Graves and Torture Chambers? Ukraine Conflict Assessments in Maps (September 12 – 16, 2022)

    According to a recent update from the Institute for the Study...

    On The Run? Ukraine Conflict Assessments in Maps (September 7 – 11, 2022)

    According to a recent update from the Institute for the Study...

    Tangible Degradation? Ukraine Conflict Assessments in Maps (September 2 – 6, 2022)

    According to a recent update from the Institute for the Study...