By Başak Köksal

[Başak Köksal is a senior law student at Istanbul University Faculty of Law, in Turkey. She is interested in International Cyberspace Law and Human Rights on the Internet. She is a member of Istanbul Center of International Law (ICIL) and International Law Students Association (ILSA).]

I. INTRODUCTION

Ransomware attacks are one of the cyber-related malicious activities aimed at encrypting the files or systems on the target device until such time that the ransom demanded in exchange for the decryption is paid. During the time the files are encrypted, the purpose is to render the files and the systems, that the targeted party needs for carrying out its services, inoperable until the determined ransom payment in cryptocurrency—     in general bitcoin—     is made. Up until now, there were several ransomware operations that have been carried out against the institutions providing health care services, governmental entities and global companies. These may lead to such dire consequences that in fact were considered only possible via kinetic attacks including loss of life and physical damage. One of the most striking and recent one was mounted against Kaseya which provides IT infrastructure to many transnational corporations and small businesses. Because of its prevalent interaction with the majority of the world, the attack constituted a supply chain attack by which thousands of businesses suffered from exploitation.

Considering all the damages that they caused, one important question may—     or should—     arise; who is the main actor behind and therefore responsible for these malicious activities? Is this the state from which the attack is launched or the non-state actor performing independently from the state where it operates? This post will deal with the question of circumstances under which states can be held responsible for a certain ransomware attack. It will firstly lay down the conditions for the attribution of ransomware campaigns to states and secondly it will discuss which norms of international law can be subject to a violation by them.

II. STATE RESPONSIBILITY ARISING FROM RANSOMWARE ATTACKS

As has been endorsed by the 2015 Report of United Nations Group of Governmental Experts (UN GGE), states’ positions and Tallinn Manual 2.0 reflecting the teachings of most highly qualified publicists in cyber field,  Articles on Responsibility of States for Internationally Wrongful Acts (ARSIWA) are also applicable to the activities of States in cyberspace. Therefore, states can be held responsible under international law for their internationally wrongful cyber acts.

Pursuant to Article 2 of ARSIWA, relating to the elements of an internationally wrongful act, the act in question must be attributable to a state and it must be in violation of international obligations imposed on that state. Attribution of cyber activities to a state consists of three main phases; first of which is the identification of the devices by which the cyber activities concerned are launched, secondly the identification of persons or group of persons behind them and last but not least the establishment of sufficient link between the state and the entity concerned. (Delerue, 2020, p. 55)  In that regard, Articles 4-11 of ARSIWA, stating the circumstances in which the conduct is attributable to a state, must be taken into account when assessing the involvement of states in cyberattacks. Among them, Article 8 needs a closer look specifically in the cyber context due to the fact that states tend to act through private groups composed of specialized hackers to protect themselves from any accusations. (Collier, 2017, p. 25)  According to that article, the conduct of a person or group of persons shall be considered an act of a State so long as the conduct is carried out upon the instructions or directions or under the control of that state.

In terms of cyber activities, there is a controversy regarding the degree of control sought to attribute the conduct of private entities to States. On one hand, some of the states (e.g. Brazil and Norway) have reaffirmed “effective control” test which was introduced by the International Court of Justice in Nicaragua Case (Nicaragua v. United States, 1986, p. 65, para. 115) and afterwards endorsed in Bosnian Genocide Case (Bosnia and Herzegovina v. Serbia and Montenegro, 2007, p. 209, para. 401). According to that test, the conduct of private persons or groups can be imputed to a state provided that the state must be able to determine the execution of the actions concerned and terminate them whenever it wants.(Tallinn Manual 2.0, p. 96, para. 6)

On the other hand, there are some experts maintaining that this strict threshold is hardly attainable, and requires considerable effort to conclusively establish by the injured state, therefore there is a need for lower threshold (e.g. “virtual control” test, “control and capabilities” test) (Stockburger, 2017, p.7; Margulies, 2013, p.19).

Once the attack is conclusively attributed to a state, it must be considered whether the attack is in violation of international obligations owed by the alleged responsible state to the injured state. In the following section, the norms of international law that might be compromised by state-sponsored ransomware attacks will be analyzed, which will be followed by the illustration of real-life examples and consideration of different scenarios.

III. STATE-SPONSORED RANSOMWARE ATTACKS

In the event that the actions of the hackers are attributable to a state, these may constitute a breach of the prohibition of use of force, the principle of non-intervention, or the duty to respect the sovereignty of other states.

a) Use of Force

According to Roscini (2014), for cyber operations to fall within the scope of Article 2(4) of UN Charter related to the prohibition of use of force, the cyber operation in question must amount to a “threat” or “use of force” and the threat or use of force must be exerted in the conduct of “international relations”(p. 44). That force must reach the level of an “armed attack”. (The Charter of the United Nations: A Commentary Vol I p. 208, para 16) For a cyber-attack to be qualified as an armed attack, the effects-based approach requires that it must “cause or reasonably likely to cause the damaging consequences normally produced by kinetic weapons” (Roscini, 2014, p. 47) Considering this approach, ransomware attacks which have detrimental impacts on people’s lives (e.g. Springhill Medical Center ransomware attack), national critical infrastructures (e.g. SamSam ransomware incidents) are likely to amount to a use of force.

Moreover, Schmitt (2012) has also suggested some criteria in identifying cyber operations constituting armed attacks. These are severity, immediacy, directness, invasiveness, measurability of effects, military character, state involvement, and presumptive legality (p. 314-315). For these conditions, it may be held that ransomware attacks causing loss of life or injuries, critical damage to state property may satisfy the severity requirement. However, in terms of the directness and immediacy requirements, this assertion would not be justifiable anymore due to the fact that the initial act of ransomware operations, which is the encryption of data, do not inevitably and directly cause the above mentioned severe adverse consequences and these results do not take place immediately following the attack. Generally speaking, there is a length of time between the encryption of data and files and resulting outcomes. So that, pursuant to Schmitt’s criteria, despite its grave consequences, the prohibition of use of force is unlikely to be invoked for ransomware operations.

b) Intervention

Alternatively, a ransomware attack may be deemed a violation of the non-intervention rule  regarded as “part and parcel of customary international law” in Nicaragua Case (Nicaragua v. United States, 1986, p. 106, para. 202) although not as serious as a use of force but still a grave violation. A ransomware attack may be considered a prohibited intervention provided that it interferes with the inherent governmental functions of the target state and it is coercive by depriving the target state of determining its matters freely (Nicaragua v. United States, 1986, p. 108, para. 205). The first requirement would be met if the attack is intended to render the data or services protected and offered by the injured state inoperable. To illustrate, Texas Municipality was hit by a ransomware attack in 2019 rendering the vital records including birth and death certificates inaccessible. As for the second condition, the attack could be coercive if it compels the target state to act or change its attitudes with respect to a matter that falls within its internal affairs (See the positions of Netherlands and Germany). The injured state is compelled to follow one of the predetermined paths: to pay the ransom and decrypt the files it needed for the exercise of its functions or to deal with the problem on its own by taking a risk of possible procrastination in providing public services. As can be seen, in some way these attacks necessitating the payment of a huge amount in ransom shackles the target state to go along the path in which it passively carries out a policy regarding its internal affairs.

c) Sovereignty Principle

Violation of Sovereignty in cyberspace is an issue that also deserves attention. The international community is divided (Heller, 2021, p. 1444-1445) as to whether sovereignty is a standalone rule in cyberspace (explicit non-acceptance coming from UK, USA). Given that Sovereignty is not just a principle but a rule that may be violated by states’ cyber actions, the ransomware attack in question must reach one of the thresholds stipulated in Tallinn Manual 2.0 namely, physical damage, loss of functionality and intervention in inherently governmental functions of that state.

Physical damage is deemed to exist in cases where the ransomware attack causes loss of life or bodily harm (e.g. University Hospital Düsseldorf Attack) or destroys sophisticated systems or data (e.g. NotPetya Attack). If the attack does not cause material harm but necessitates costly and/or arduous repairs/replacements of the physical components of affected devices (e.g. National Ink Attack), the loss of functionality threshold would have been crossed. (Tallinn Manual 2.0, p.21, para. 13). Interference with or usurpation of inherently governmental functions through ransomware attacks may occur when the data or services that are necessary for the exercise of governmental functions are encrypted and rendered unusable thus violating the sovereignty principle.

IV. CONCLUSION

All in all, as can be seen, acts not only in the physical world but also in the virtual world may bring about physical and damaging consequences. Ransomware attacks pose a serious threat for both states and global companies and businesses. They may target critical infrastructures of states – such as health, justice, administration, and the databases of companies including those containing personal data or information regarding the exercise of their functions. It is imperative to identify the origin of these attacks and hold the perpetrators responsible in accordance with the law. In case the ransomware attack is attributable to a certain state, it is unlikely that a ransomware attack may be considered a use of force because of its nature not allowing the immediacy and directness criteria to be met. For the non-intervention rule, it may be challenging to prove that it is coercive. The most probable way to hold it internationally responsible is to cite the violation of sovereignty. Last but not least, the strict criteria regarding both attribution and use of force that has been held for kinetic attacks should be duly softened in terms of cyber operations, otherwise states may escape from international responsibility and move freely in this gray zone.

Views expressed in this article are the author’s own and are not representative of the official views of Jus Cogens Blog or any other institute or organization that the author may be affiliated with.