Cyberattack on Civilian Institutions, Park Jin-hyok, North Korea, and International Law
Joel Trachtman, Professor of International Law, The Fletcher School of Law and Diplomacy, Tufts University
The U.S. Justice Department (“Justice”) has indicted Park Jin-hyok, allegedly a North Korean intelligence officer, charging him under U.S. law with computer fraud and wire fraud. Mr. Park is alleged to have caused a lot of trouble, destroying data at Sony Pictures, robbing the Bangladeshi Central Bank, and using “Wannacry” software to hold hundreds of thousands of computers around the world for ransom and cripple the British National Health Service. The indictment provides a detailed description of the alleged acts.
However, it may be understood as an indictment also of the international legal system that there is no clear international legal response, as opposed to a domestic law response, to these actions. There is no consensus on whether these types of non-ballistic, non-violent acts would violate the UN Charter’s prohibition on “the threat or use of force against the territorial integrity or political independence of any state . . . .” The authoritative Tallinn Manual states that “A cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.” There is no consensus on whether a target state is permitted to retaliate in a way that would otherwise violate international law under Article 51 of the UN Charter. There is no court with jurisdiction to determine these things definitively. Moreover, it is difficult to argue that these North Korean acts, without more evidence of physical destruction, would qualify.
It is extremely unlikely that North Korea would extradite one of its intelligence officers for these acts, just as it is unlikely that the U.S. would extradite one of its intelligence officers for similar acts, alleged to have been committed against Iranian nuclear facilities.
Furthermore, the international legal rules of state responsibility for wrongful acts apply to acts that are violations of international law. Unless the North Korean acts violate the Charter prohibition on the use of force, it is uncertain whether any international law has been violated. Some argue that these types of acts are violations of a general rule of sovereignty, but the specific content of the rule of sovereignty is uncertain.
Fundamentally, international law rules of territorial sovereignty, and territorial integrity, pose the question of what activities a foreign state may carry out within the territory of a target state, without violating these rules. If territorial sovereignty includes the political independence and the right to exclude other states from exercising state functions within the territory of the first state, the question becomes whether cyberattack is an infringement of political independence or an exercise of state functions.[i] However, in order to rise to the level of a violation of international law, “a prohibited intervention [as opposed to a mere interference] must accordingly be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely.”[ii] So the extent to which a cyberattack on civilians violates customary international law will depend on the type of cyberattack, including its intent and consequences. Indeed, the Tallinn Manual 2.0, in its Rule 4, asserts that “[a] State must not conduct cyber operations that violate the sovereignty of another State.” Rule 4 leaves open the question of what types of measures would violate the sovereignty of another state. The question of the content of state sovereignty, and whether it itself is a rule or is a principle “undergirding binding norms”[iii] that are articulated separately, is subject to debate.
Gary Corn and Robert Taylor argue that below the threshold of armed attack, “there is insufficient evidence of either state practice or opinion juris to support assertions that the principle of sovereignty operates as an independent rule of customary international law that regulates states’ actions in cyberspace.”[iv] However, they also allow that there is general consensus that cyber actions that amount to a prohibited intervention violate international law.[v] They compare some types of cyber operations to pre-digital espionage:
[I]t is widely recognized that states have unquestioned authority to prohibit espionage within their territory under their domestic laws, but it is also widely recognized that international law does not prohibit espionage. States have long engaged in espionage operations that involve undisclosed entry and activities within the territory of other states, subject only to the risk of diplomatic consequences or the exercise of domestic jurisdiction over intelligence operatives if discovered and caught. Within this framework, it is understood that espionage may violate international law only when the modalities employed otherwise constitute a violation of a specific provision of international law, such as an unlawful intervention or a prohibited use of force.
On the other hand, Michael Schmitt and Liis Vihul point out that “the premise of sovereignty as a primary rule of international law capable of being violated was accepted unanimously by the international law scholars and practitioners who prepared the 2013 Tallinn Manual on the International Law Applicable to Cyber Warfare, as well as those who produced its 2017 successor, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations.”[vi] They argue that the evidence cited by Corn and Taylor of a general permissive rule, allowing incursions on sovereignty so long as they do not rise to the level of an armed attack or a prohibited intervention, is better seen as the operation of exceptions for particular types of actions that, but for exceptions, would be prohibited by a general rule of sovereignty. They conclude that “only if lex specialis subsequently emerges through treaty or crystallization of customary law, as in the case of outer space, will cyber operations that would otherwise violate a State’s territorial sovereignty be permissible.”
It is possible that Corn and Taylor can be reconciled with Schmitt and Vihul on the basis that both see the need for more specific rules to determine the applicability of international law to cyberattacks that do not rise to the level of armed attack: the scope of “prohibited intervention” is uncertain. As the Tallinn 2.0 Manual concludes, the extent to which a prohibited intervention exists depends on two parameters: “(1) the degree of infringement upon the target State’s territorial integrity; and (2) whether there has been an interference with or usurpation of inherently governmental functions.”[vii]
In an example of recent practice in this field, and perhaps opinio juris, the U.S. has enacted its 2019 National Defense Authorization Act, which includes authorization for “active defense” against cyberattacks by Russia, China, North Korea, or Iran.[viii] Under that authority, if the U.S. President determines that one of those countries “is conducting an active, systematic, and ongoing campaign of attacks against the Government or people of the United States in cyberspace, including attempting to influence American elections and democratic political processes, [the President] may authorize the Secretary of Defense . . . to take appropriate and proportional action in foreign cyberspace to disrupt, defeat, and deter such attacks . . . .”
This constitutes a focused conditional authorization, allowing proportional cyber responses to systematic cyberattacks on civilians that do not necessarily amount to armed attacks. The most likely way to understand this under international law is as predicated on a position that the original attacks are violations of international law, and that the response is a permitted countermeasure under international law.
For now, states will act and respond to cyber attacks that do not rise to the level of armed attack without legal guidance. Next week, The Fletcher School of Law and Diplomacy’s Center for International Law and Governance will host an international conference to develop international legal rules to clearly prohibit and to prevent governmental attacks on foreign civilians that do not rise to the level of an armed attack.
_____________________
[i] See Benedikt Pirker, Territorial Sovereignty and Integrity and the Challenges of Cyberspace, in Peacetime Regime for State Activities in Cyberspace (Katharina Ziolkowski, ed. NATO Cooperative Cyber Defense Center of Excellence 2014).
[ii] Case Concerning Military and Paramilitary Activities in and Against Nicaragua (Nicaragua v. United States) ICJ Reports 1986, 14, para 205.
[iii] Gary P. Corn and Robert Taylor, Sovereignty in the Age of Cyber, 111 American Journal of International Law 207 (2017).
[iv] Id. at 208.
[v] See also paragraphs 7 and 8 of the commentary accompanying Rule 10 of the Tallinn 2.0 Manual.
[vi] Michael N. Schmitt and Liis Vihul, Respect for Sovereignty in Cyberspace, 95 Texas Law Review 1639-1670 (2017).
[vii] Tallinn Manual 2.0, at 20.
[viii] H.R. 5515: John S. McCain National Defense Authorization Act for Fiscal Year 2019, Pub.L. 115-232, enacted August 13, 2018, section 1642.