{"id":13035,"date":"2021-03-31T14:00:19","date_gmt":"2021-03-31T12:00:19","guid":{"rendered":"https:\/\/voelkerrechtsblog.org\/?p=13035"},"modified":"2021-04-01T09:59:39","modified_gmt":"2021-04-01T07:59:39","slug":"eye-on-the-spy","status":"publish","type":"post","link":"https:\/\/voelkerrechtsblog.org\/de\/eye-on-the-spy\/","title":{"rendered":"Eye on the Spy"},"content":{"rendered":"<p>During the Covid-19 pandemic, more services and activities have migrated online. Digital supply chains have therefore emerged as the lifeblood of modern society and interferences with them can be hugely disruptive, as two recent incidents have illustrated.<\/p>\n<p>In late 2020, SolarWinds, a US technology company, reported that its flagship Orion software had been hacked. The hack was \u2018<a href=\"http:\/\/www.cisa.gov\/news\/2021\/01\/05\/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure\">likely Russian in origin<\/a>\u2019 and involved the insertion of malware in Orion. Unwittingly, SolarWinds sent software updates to its customers containing the malware. Upon installation, the malware created a back door in customers\u2019 computer networks and systems that enabled third parties to covertly access their confidential data. While thousands of SolarWinds customers from across the world were affected, it was largely US users that fell victim to the hack and they included government agencies, Fortune 500 businesses and individual citizens.<\/p>\n<p>In a separate incident, in early March 2021 Microsoft <a href=\"https:\/\/krebsonsecurity.com\/2021\/03\/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software\/\">reported<\/a> that a malicious actor \u2013 which it identified as a Chinese-run cyber espionage unit \u2013 had exploited flaws in its 2013, 2016 and 2019 Exchange Server email software, enabling unauthorised access to the email accounts of at least 30, 000 users worldwide, most of which were based in the US.<\/p>\n<p>These hacks amounted to acts of cyber espionage insofar as they penetrated computer networks and systems in order to access and collect confidential data. In this post, I examine whether cyber espionage operations that can be attributed to a State under the law on State responsibility breach international law. This post addresses that question in two parts. First, I examine whether State-sponsored cyber espionage operations against digital supply chains infringe the principle of territorial sovereignty. Second, assuming that acts of cyber espionage <em>prima facie<\/em> breach the principle of territorial sovereignty, I consider whether States have carved out a permissive customary espionage \u2018exception\u2019 to it.<\/p>\n<p><strong>The Principle of Territorial Sovereignty<\/strong><\/p>\n<p>States have failed to devise international law that directly and specifically regulates peacetime espionage. This has led some commentators to conclude that international law is \u2018silent\u2019 on the practice of spying (<a href=\"https:\/\/jnslp.com\/wp-content\/uploads\/2017\/10\/Spying-and-Fighting-in-Cyberspace_2.pdf\">Brown<\/a>, 621). This approach is mistaken. As will be shown as this post progresses, espionage interacts with international law and there is an array of principles of general international law and specialised regimes that may apply to espionage operations depending upon the underlying act.<\/p>\n<p>When it comes to hacks against digital supply chains, the most relevant rule of international law is the principle of territorial sovereignty. At its core, this principle protects the exercise of inherently governmental functions from external interference. What qualifies as an inherently governmental function differs between governments depending on their political constitution. However, some functions can only be carried out by States, such as deciding who can enter and who can leave their territory.<\/p>\n<p>According to the <a href=\"https:\/\/www.icj-cij.org\/public\/files\/case-related\/70\/070-19860627-JUD-01-00-EN.pdf#page=118\">ICJ<\/a>, acts of espionage breach the principle of territorial sovereignty where they involve non-consensual trespass into the physical territory of another State. Importantly, the territorial sovereignty principle applies to <a href=\"https:\/\/undocs.org\/A\/70\/174\">cyberspace<\/a> but a thorny question is whether it prohibits remotely conducted cyber operations and, if so, under what circumstances. The <a href=\"https:\/\/www.cambridge.org\/core\/books\/tallinn-manual-20-on-the-international-law-applicable-to-cyber-operations\/E4FFD83EA790D7C4C3C28FC9CA2FB6C9\">Tallinn Manual<\/a> experts agreed that the principle of territorial sovereignty applies to cyberspace and a majority of them held that it is only those State-sponsored cyber operations that produce harm against or within the cyber infrastructure of another State that breach this principle. More specifically, they concluded that it is only those remote cyber operations that, at a minimum, compromise the <em>functionality<\/em> of a computer system or network that are unlawful. Thus, the majority of experts determined that remotely launched cyber operations that merely intrude into the computer systems and networks of other States do not fall within the prohibitory scope of this principle. On the basis that remote access cyber espionage operations do not affect the functionality of computer networks or systems, these experts concluded that these operations do not fall foul of the principle of territorial sovereignty.<\/p>\n<p>As <a href=\"https:\/\/www.justsecurity.org\/73946\/russias-solarwinds-operation-and-international-law\/\">Michael Schmitt<\/a> observes, the approach adopted by the majority of the Tallinn Manual experts would mean that, as a cyber espionage operation, the SolarWinds hack would not transgress the principle of territorial sovereignty. Yet, Schmitt recognises that this position leaves digital supply chains vulnerable to espionage. He therefore <em>suggests<\/em> that, because the SolarWinds hack installed a back door in computer networks and systems and that operators had to patch this vulnerability in order to restore their integrity, it <em>could<\/em> be said that the hack caused sufficient damage to establish a breach of the principle of territorial sovereignty.<\/p>\n<p>Schmitt\u2019s determination to interpret the principle of territorial sovereignty in such a way as to prohibit hacks against digital supply chains is commendable. By penetrating computer networks and systems in order to steal confidential data, cyber espionage operations can interfere with privacy-related rights, undermine trust and confidence in digital infrastructure, disrupt the delivery of essential services and, in extreme cases, threaten national security. International law must therefore prohibit cyber espionage and deter this activity. But the reality is that most hacks exploit vulnerabilities in computer networks or systems (after all, how was access obtained?) and require operators to take some type of remedial action, even if the patching process is quicker and easier for one-off, opportunistic hacks than it is for more sophisticated, intensive hacks that implant permanent back doors in networks or systems. Thus, Schmitt\u2019s approach would effectively mean that any non-consensual intrusion into confidential networks or systems would breach the principle of territorial sovereignty.<\/p>\n<p>Perhaps it could be said that it is only those hacks that require <em>significant<\/em> remedial action on behalf of the system operator that violate the territorial sovereignty principle. However, this approach is also beset with problems. In particular, it complexifies and subjectifies the application of the principle of territorial sovereignty, raising difficult questions as to which malicious cyber operations are sufficiently harmful to constitute a breach of this rule.<\/p>\n<p>In my view, we must divorce the principle of territorial sovereignty from the requirement of harm or damage. We now live in a Digital Age. As the Tallinn Manual experts and the <a href=\"https:\/\/undocs.org\/A\/68\/98\">2013<\/a> and <a href=\"https:\/\/undocs.org\/A\/70\/174\">2015<\/a> UN GGEs concluded, States exercise sovereignty over the cyber infrastructure physically located within their territory and their sovereignty extends to the networks and systems that this infrastructure supports. If this is the case, why does a State\u2019s inherently governmental function to decide who enters its sovereign <em>physical<\/em> territory deserve more protection than its decision as to who enters its sovereign <em>cyber<\/em> infrastructure? There is no principled justification for this difference in approach. For me, the better view is that any non-consensual intrusion into computer networks or systems that are supported by cyber infrastructure that is physically located within the territory of another State amounts to a breach of the principle of territorial sovereignty, regardless of whether the targeted networks or systems are publicly or privately owned or operated. This approach also finds support in State practice (see <a href=\"https:\/\/www.defense.gouv.fr\/content\/download\/565895\/9750877\/file\/Droit+internat+appliqu%C3%A9+aux+op%C3%A9rations+Cyberespace.pdf\">France<\/a> and <a href=\"https:\/\/nournews.ir\/En\/News\/53144\/General-Staff-of-Iranian-Armed-Forces-Warns-of-Tough-Reaction-to-Any-Cyber-Threat\">Iran<\/a> and, for a general discussion, see <a href=\"https:\/\/www.bloomsburyprofessional.com\/uk\/cyber-espionage-and-international-law-9781782257363\/\">here<\/a>). Importantly, this interpretation of the territorial sovereignty principle would prohibit remote access cyber espionage operations on the basis that they intrude into the victim State\u2019s sovereign cyber infrastructure by penetrating (without consent) computer networks and systems hosted by that infrastructure.<\/p>\n<p><strong>A Customary Espionage \u2018Exception\u2019?<\/strong><\/p>\n<p><a href=\"https:\/\/repository.law.umich.edu\/cgi\/viewcontent.cgi?article=1171&amp;context=mjil\">Some<\/a> scholars concede that espionage <em>prima facie<\/em> breaches the principle of territorial sovereignty. Nevertheless, they argue that this principle contains an espionage \u2018exception\u2019 insofar as States have, through their practice, determined that acts of espionage (including cyber-enabled espionage) are not covered by this principle and are thus lawful. States are of course entitled to carve out exceptions to rules of international law but it goes without saying that they must be clearly established in State practice and <em>opinio juris<\/em>, the two essential elements of customary law.<\/p>\n<p>State practice and <em>opinio juris <\/em>are difficult to <a href=\"https:\/\/scholarship.law.cornell.edu\/cgi\/viewcontent.cgi?article=1937&amp;context=cilj\">identify<\/a> in the context of espionage. There is no doubt that espionage is widely practised within the world order. Yet, espionage is an activity that is generally committed in secret. Critically, <em>secret<\/em> State practice is methodologically irrelevant to the formation of customary law (<a href=\"http:\/\/www.law.umich.edu\/facultyhome\/drwcasebook\/Documents\/Documents\/ILA%20Report%20on%20Formation%20of%20Customary%20International%20Law.pdf\">ILA<\/a>, Principle 5). That said, it may be the case that the international community becomes aware of espionage via media reports, allegations by States or leaks by government employees. Does this constitute <em>public<\/em> State practice? For me, unless the impugned State admits involvement in espionage, leaks\/allegations\/reports do not amount to public State practice because, after all, the State neither endorses nor associates itself with that activity.<\/p>\n<p>Additionally, State practice must be coupled with <em>opinio juris <\/em>for custom to form. O<em>pinio juris<\/em> is difficult to discern in the context of espionage because of the \u2018<a href=\"https:\/\/www.cambridge.org\/core\/journals\/canadian-yearbook-of-international-law-annuaire-canadien-de-droit-international\/article\/lespionnage-en-temps-de-paix-en-droit-international-public\/6C824CBA14ABD2D97F6EEF40F5CC5842\">policy of silence<\/a>\u2019 that surrounds this activity. Thus, very few States have justified espionage as lawful under customary law. Admittedly, since the Snowden revelations some <a href=\"https:\/\/www.mfat.govt.nz\/en\/media-and-resources\/ministry-statements-and-speeches\/cyber-il\/\">States<\/a> have argued that espionage operations are lawful under international law, which may pave the way for a customary espionage exception to emerge. Yet, it is equally the case that, in response to the Snowden leaks, States such as <a href=\"https:\/\/www.thetimes.co.uk\/article\/us-intelligence-hacked-mexican-presidents-email-rvprl60bc7p\">Mexico<\/a> condemned the US\u2019s cyber espionage as \u2018unacceptable, illegitimate and contrary to Mexican and international law\u2019. I do not have space in this post to explore which States regard espionage as lawful or not. But what is clear is that <em>opinio juris<\/em> is too unsettled or even divergent to found a customary exception to a principle of general international law.<\/p>\n<p><strong>Conclusion<\/strong><\/p>\n<p>There is much hyperbole around the SolarWinds and Microsoft hacks. Rather than being destructive cyber attacks as some commentators (including Microsoft President <a href=\"https:\/\/blogs.microsoft.com\/on-the-issues\/2020\/12\/17\/cyberattacks-cybersecurity-solarwinds-fireeye\/\">Brad Smith<\/a>) and US politicians (see <a href=\"https:\/\/thehill.com\/policy\/cybersecurity\/530461-durbin-says-alleged-russian-hack-virtually-a-declaration-of-war\">here<\/a> and <a href=\"https:\/\/www.axios.com\/solarflares-russia-hack-agencies-0a21d7e4-9fcf-4f6d-b86c-f903d155dd9d.html\">here<\/a>) have said, they were acts of cyber network exploitation and, to be fair, they are not unprecedented \u2013 their scale and sophistication is similar to cyber espionage operations carried out by other States in recent years. But international lawyers have worked themselves into a difficult position. Having previously averred that cyber espionage operations fall beyond the regulatory purview of international law, they now recognise the harm caused by such acts and have sought to cast them as destructive cyber attacks and do so in order to reach a different conclusion as to their legality under international law.<\/p>\n<p>In my view, the better approach is to recognise that international law regulates espionage operations and, in particular, that it applies to the underlying act. In this post, I have argued for an interpretation of the principle of territorial sovereignty that prohibits cyber operations where they involve non-consensual trespass into a State\u2019s sovereign cyber infrastructure. Interpreted in this way, the territorial sovereignty principle provides States \u2013 and digital supply chains more generally \u2013 with powerful legal protection against cyber espionage.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>During the Covid-19 pandemic, more services and activities have migrated online. Digital supply chains have therefore emerged as the lifeblood of modern society and interferences with them can be hugely disruptive, as two recent incidents have illustrated. In late 2020, SolarWinds, a US technology company, reported that its flagship Orion software had been hacked. The [&hellip;]<\/p>\n","protected":false},"author":8,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[6639],"tags":[4935],"authors":[6738],"article-categories":[6000],"doi":[],"class_list":["post-13035","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-cyber-security","authors-russell-buchan","article-categories-article"],"acf":{"subline":"International Law, Digital Supply Chains and the SolarWinds and Microsoft Hacks"},"meta_box":{"doi":"10.17176\/20210331-194640-0"},"_links":{"self":[{"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/posts\/13035","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/comments?post=13035"}],"version-history":[{"count":2,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/posts\/13035\/revisions"}],"predecessor-version":[{"id":13048,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/posts\/13035\/revisions\/13048"}],"wp:attachment":[{"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/media?parent=13035"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/categories?post=13035"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/tags?post=13035"},{"taxonomy":"authors","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/authors?post=13035"},{"taxonomy":"article-categories","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/article-categories?post=13035"},{"taxonomy":"doi","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/doi?post=13035"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}