Malicious Cyber Operations, “Hackbacks” and International Law: An Austrian Example as a Basis for Discussion on Permissible Responses

Erich Schweighofer, Isabella Brunner, Jakob Zanol

Abstract

In January 2020, Austria publicly announced that some of its governmental institutions have been hit by a significant malicious cyber operation and that it cannot be denied – at least for the moment – that a state was behind this operation. One month later, the Austrian Foreign Ministry declared the cyber operation to be officially over. While Austria noted that it took “countermeasures” against the operation, it is not entirely clear what it meant by that. This article elaborates the question what response options a state like Austria would have against a malicious cyber operation under the current framework of international law. It, hence, tries to answer when a “hackback” is lawful under international law and when it is not.

Keywords

Countermeasures; Cyber Defense; Cyberspace; Hackback; International Law; Law of State Responsibility; Malicious Cyber Operation

Full Text:

References

Show references Hide references

[1] Advisory Opinion of 9 July 2004. Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory. ICJ Reports 2004, 136.

[2] Antonopoulos, C. (2015) State Responsibility in Cyberspace. In: Nicholas Tsagourias and Russell Buchan (eds.). Research Handbook on International Law and Cyberspace. Cheltenham and Northampton: Edward Elgar Publishing.

[3] Austrian Federal Ministry for European and International Affairs. (2020) Cyber Attack on the Foreign Ministry is Over. [press release] 13 February. Available from: www.bmeia.gv.at/en/the-ministry/press/announcements/2020/02/cyber-attack-on-the-foreign-ministry-is-over/ [Accessed 19 August 2020].

[4] Austrian Press Agency. (2020) Schwerwiegender Angriff auf IT-Systeme des Außenministeriums. [press release] 4 January. Available from: https://www.ots.at/presseaussendung/OTS_20200104_OTS0020/schwerwiegender-angriff-auf-it-systeme-des-aussenministeriums [Accessed 19 August 2020].

[5] Award of 4 April 1928. Island of Palmas Case (Netherlands v. United States of America). Reports of International Arbitral Awards, United Nations, Vol. II.

[6] Bannelier-Christakis, K. (2014) Cyber Diligence: A Low-Intensity Due Diligence Principle for Low-Intensity Cyber Operations?. Baltic Yearbook of International Law, 14. https://doi.org/10.1163/22115897-90000118

[7] Brunner, I., Dobric, M. and Pirker, V. (2019) Proving a State’s Involvement in a Cyber-Attack: Evidentiary Standards Before the ICJ. Finnish Yearbook of International Law, 25. https://doi.org/10.5040/9781509927180.0006

[8] Charter of the United Nations and Statute of the International Court of Justice, 26 June 1945 (1 UNTS XVI).

[9] Clark, D. D. and Landau, S. (2011) Untangling Attribution. Harvard National Security Journal, 2.

[10] Constantinou, A. (2000) The Right of Self-Defence under Customary International Law and Article 51 of the United Nations Charter. Ant. N. Sakkoulas.

[11] Council Directive 2008/114/EC of 8 December 2008 on the Identification and Designation of European Critical Infrastructures and the Assessment of the Need to Improve their Protection. Official Journal of the European Union (2008/L-345/75), 23 December.

[12] Dinniss, H. (2014) Cyber Warfare and the Laws of War. Cambridge: Cambridge University Press.

[13] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 Concerning Measures for a High Common Level of Security of Network and Information Systems Across the Union. Official Journal of the European Union (2016/L-194/01) 19 July.

[14] Federal Act on Ensuring a High Level of Security of Network and Information Systems 2018 (Netz- und Informationssystemsicherheitsgesetz – NISG) Austrian Federal Law Gazette I No. 111/2018.

[15] Government of Austria. (2020) Austrian Statement on Rules, Norms and Principles for Responsible State Behaviour (delivered on 17 June at the Informal OEWG June Consultations).

[16] Government of Austria. (2020) OEWG on Developments in the Field of Information and Telecommunications in the Context of International Security: Statement by Austria on International Law. New York (delivered on 11 February at the second substantive session of the OEWG).

[17] Government of Estonia. (2019) President of the Republic at the Opening of CyCon 2019. Tallinn. [online] Available from: https://www.president.ee/en/official-duties/speeches/15241-president-of-the-republic-at-the-opening-of-cycon-2019/index.html [Accessed 20 August 2020].

[18] Government of the Netherlands. (2019) Appendix to the Letter to the Parliament on the International Legal Order in Cyberspace. The Hague. [online] Available from: https://www.government.nl/documents/parliamentary-documents/2019/09/26/letter-to-the-parliament-on-the-international-legal-order-in-cyberspace [Accessed 4 February 2020].

[19] Gray, C. (2018) International Law and the Use of Force. 4th ed. Oxford: Oxford University Press.

[20] Greenwood, C. (2011) Self-Defence. In: Rüdiger Wolfrum (ed.). Max Planck Encyclopedia of Public International Law. Online ed.

[21] Guitton, C. (2017) Inside the Enemy’s Computer: Identifying Cyber-Attackers. London: Hurst & Company.

[22] Henriksen, A. (2015) Lawful State Responses to Low-Level Cyber-Attacks. Nordic Journal of International Law, 84 (2). https://doi.org/10.1163/15718107-08402008

[23] Judgment of 9 April 1949. Corfu Channel (United Kingdom v. Albania). ICJ Reports 1949, 4.

[24] Judgment of 27 June 1986. Case Concerning Military and Paramilitary Activities in and Against Nicaragua (Nicaragua v. United States of America). ICJ Reports 1989, 14.

[25] Judgment of 6 November 2003. Case Concerning Oil Platforms (Islamic Republic of Iran v. United States of America). ICJ Reports 2003, 161.

[26] Judgment of 19 December 2005. Armed Activities on the Territory of the Congo (Democratic Republic of the Congo v. Uganda). ICJ Reports 2005, 334.

[27] Koivurova, T. (2010) Due Diligence. In: Rüdiger Wolfrum (ed.). Max Planck Encyclopedia of Public International Law. Online ed.

[28] Kolb, R. (2015) Reflections on Due Diligence Duties and Cyberspace. German Yearbook of International Law, 58.

[29] Ministère des Armées. (2019) Droit International Appliqué Aux Operations Dans Le Cyberespace. Paris. [online] Available from: https://www.defense.gouv.fr/salle-de-presse/communiques/communiques-du-ministere-des-armees/communique_la-france-s-engage-a-promouvoir-un-cyberespace-stable-fonde-sur-la-confiance-et-le-respect-du-droit-international [Accessed 4 February 2020].

[30] Moechel, E. (2020) Cyberhusarenstück Schlug Angreifer im Außenministerium. [blog entry] 23 February. Radio FM4. Available from: https://fm4.orf.at/stories/2999042/ [Accessed 20 August 2020].

[31] Moechel. E. (2020) Vorläufige Bilanz des Cyberangriffs auf das Außenministerium. [blog entry] 16 February. Radio FM4. Available from: https://fm4.orf.at/stories/2998771/ [Accessed 20 August 2020].

[32] Murphy, S. D. (2005) Self-Defense and the Israeli Wall Advisory Opinion: An Ipse Dixit from the ICJ?. American Journal of International Law, 99 (1). https://doi.org/10.2307/3246090

[33] Roscini, M. (2014) Cyber Operations and the Use of Force. Oxford: Oxford University Press. https://doi.org/10.1093/acprof:oso/9780199655014.001.0001

[34] Schaller, C. (2017) Beyond Self-Defense and Countermeasures: A Critical Assessment of the Tallinn Manual’s Conception of Necessity. Texas Law Review, 95.

[35] Schmitt, M. (2003) Preemptive Strategies in International Law. Michigan Journal of International Law, 24 (2).

[36] Schmitt, M. (2014) “Below the Threshold” Cyber Operations: The Countermeasures Response Option and International Law. Virginia Journal of International Law, 54.

[37] Schmitt, M. (ed.). (2013) The Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge: Cambridge University Press. https://doi.org/10.1017/CBO9781139169288

[38] Schmitt, M. (2015) In Defense of Due Diligence in Cyberspace. The Yale Law Journal Forum, 125.

[39] Schmitt, M. and Vihul, L. (eds.). (2017) Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. Cambridge: Cambridge University Press.

[40] Schmitt, M. (2020) Cyber Operations Against Vaccine R & D: Key International Law Prohibitions and Obligations. [blog entry] 10 August. EJIL:Talk!. Available from: www.ejiltalk.org/cyber-operations-against-vaccine-r-d-key-international-law-prohibitions-and-obligations/ [Accessed 20 August 2020].

[41] Shackelford, S. J., and Andres, R. B. (2011) State Responsibility for Cyber Attacks: Competing Standards for a Growing Problem. Georgetown Journal of International Law, 42.

[42] Sloane, R. D. (2012) On the Use and Abuse of Necessity in the Law of State Responsibility. American Journal of International Law, 106 (3). https://doi.org/10.5305/amerjintelaw.106.3.0447

[43] Tsagourias, N. (2012) Cyber Attacks, Self-Defence and the Problem of Attribution. Journal of Conflict and Security Law, 17. https://doi.org/10.1093/jcsl/krs019

[44] United Nations General Assembly. (2013) Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security: Note by the Secretary-General. UN Doc A/68/98. New York: United Nations. Available from: https://documents-dds-ny.un.org/doc/UNDOC/GEN/N13/371/66/PDF/N1337166.pdf?OpenElement [Accessed 20 August 2020].

[45] United Nations General Assembly. (2014) Developments in the Field of Information and Telecommunications in the Context of International Security. UN Doc A/RES/68/243. New York: United Nations. Available from: https://undocs.org/A/RES/68/243 [Accessed 20 August 2020].

[46] United Nations General Assembly. (2015) Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security: Note by the Secretary-General. UN GAOR 70th Session, Item 93, UN Doc A/70/174. New York: United Nations. Available from: https://undocs.org/A/70/174 [Accessed 20 August 2020].

[47] UN International Law Commission. (2001) Report of the International Law Commission, Draft Articles on Responsibility of States for Internationally Wrongful Acts, With Commentaries. UN GAOR, 53rd Sess., Supp. No. 10, UN Doc. A/56/10. Available from: https://legal.un.org/ilc/texts/instruments/english/commentaries/9_6_2001.pdf [Accessed 20 August 2020].

[48] Vidmar, J. (2017) The Use of Force as a Plea of Necessity. AJIL Unbound, 111. https://doi.org/10.1017/aju.2017.75

[49] Woltag, J. (2015) Cyber Warfare. In: Rüdiger Wolfrum (ed.). Max Planck Encyclopedia of Public International Law. Online ed.

[50] Wright, J. (2018) Cyber and International Law in the 21st Century. London. [online] Available from: https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century [Accessed 20 August 2020].

[51] Zemanek, K. (2013) Armed Attack. In: Rüdiger Wolfrum (ed.). Max Planck Encyclopedia of Public International Law. Online ed.

https://doi.org/10.5817/MUJLT2020-2-4



Copyright (c) 2020 Masaryk University Journal of Law and Technology