States and non-state actors are turning to cyberspace to exploit the COVID-19 pandemic. Many of their operations violate such international law rules as the requirement to the respect the sovereignty of other states, the prohibitions on intervention and the use of force, and international human rights law obligations and prohibitions.
The COVID-19 pandemic has been accompanied by a shameful surge in malicious cyber operations, conducted by both states and non-state actors, targeting medical facilities and public health capabilities. Some operations involve espionage, as in the accusation that the Chinese government has been actively targeting US coronavirus vaccine research. Others are criminal in nature, a notable example being the ransomware attack against Hammersmith Medicines Research, which had been designated as a UK site for vaccine testing. Many are disruptive. For instance, European supercomputers working on COVID-19 research have been targeted, while the World Health Organization was the victim of a phishing attack.
Misinformation is also rampant. Tragically, hundreds died in Iran after ingesting high-proof alcohol because of false social media assertions that doing so would protect against the virus. Perhaps most nefariously, cyber operations have even directly interfered with the delivery of medical care and public health activities. For instance, Brno University Hospital had to shut down its IT network after being attacked, forcing surgeries to be postponed and the COVID-19 testing that was part of the Czech government’s pandemic response to be cancelled.
Responses from states and international organisations have varied widely. The EU’s High Representative called for a halt to phishing and malware distribution campaigns, scanning activities and DDoS attacks. These activities, some of which affected critical infrastructure necessary to manage the pandemic, also prompted the Council of the European Union to extend its cyber sanctions regime until May 2021. Meanwhile, national leaders in countries like the United States and Brazil have used social media to communicate dangerous misinformation about the pandemic.
That threatening behaviour online merits condemnation is self-evident. But it may also be a violation of international law.
International Law Prohibitions
Rules of international law generally govern the conduct of states. Therefore, to characterize a COVID-19 related cyber operation as violating international law, it must first be established that a state organ, such as an intelligence agency, carried out the operation or that a non-state actor like a private company, hactivists, or a terrorist group did so pursuant to the “instructions or direction or control” of a state. The degree of certainty required to attribute an operation to a state varies depending on the purpose of the attribution, which can range from political naming and shaming to judicial adjudication. Nevertheless, it is widely accepted that attribution should only occur when a reasonable state in similar circumstances would also attribute the operation to that state.
The rule likeliest to be violated by a COVID-19-related cyber operation is that requiring respect for other states’ sovereignty. It may be transgressed in two ways. First, an operation targeting medical or public health cyber infrastructure that results in an individual contracting the virus, exacerbates illness or damages the targeted infrastructure (including loss of functionality requiring repair) violates the rule because it causes injury or damage in another state’s territory. When such consequences are foreseeable, the rule is violated, as in the case of intentional misinformation that causes individuals to refrain from treatment or dangerously self-medicate. Whether the causation of non-injurious or non-damaging effects violates the sovereignty of the state into which cyber operations are conducted remains unsettled in law.
Second, a cyber operation violates sovereignty when it interferes with a state’s “inherently governmental functions”. Crisis management, including the development and execution of pandemic response plans, is one such function. Recall, for example, that the government had designated Brno University Hospital as a COVID-19 testing facility, while Hammersmith Medicines Research was tasked with UK vaccine testing. Mere interference with these functions therefore qualified as a sovereignty violation on this basis. Indeed, a COVID-19 related cyber operation can violate sovereignty on both bases, for instance when it interferes with the nation’s public health response, thereby making it likely that individuals will become ill or die.
In fairness, it should be acknowledged that the UK has rejected the existence of a rule of sovereignty in international law. However, that position is unfounded in law and has been rejected, correctly, by a number of European nations, such as the Netherlands, France, Austria and the Czech Republic. It has garnered no unqualified support from any other nation.
A second international law prohibition that can be violated by COVID-19 related cyber operations is that of intervention into the internal affairs of another state. As observed by the International Court of Justice, there are two requirements for intervention: 1) that the action in question involve the domaine réservé, an area of activity international law leaves to states to regulate, and 2) that the action is coercive in the sense of causing a state to take, or refrain from, action against its will.
Some confusion surrounds application of the rule in the health context. Although the handling of a health crisis falls within a state’s domaine réservé, the purpose of the cyber operation in question must be to deprive the state of choice in that area of activity. Thus, for instance, the WannaCry ransomware attack that hobbled the British NHS was not intervention because there was no desire to change UK policy or its execution; the objective was to force payment of ransoms.
However, if attributable to states, many COVID-19-related cyber operations would qualify. For example, the operation that deprived Brno University Hospital of its testing capability did so because it frustrated an aspect of the Czech government’s pandemic response plan. Similarly, even a brief DoS operation targeting a public health ministry’s social media communications would amount to intervention because it would prevent the state from communicating in the way it deemed necessary to address the crisis. By contrast, a misinformation operation that ran parallel to the state’s social media efforts would not be intervention, because the state would retain the ability to execute its public health plan. That operation could nevertheless qualify as a violation of sovereignty if the misinformation placed health or lives at risk.
Some COVID-19-related cyber operations might even rise to the level of an unlawful use of force in violation of Article 2(4) of the UN Charter and customary international law. Although there is universal agreement that the prohibition applies in the cyber context, it remains unsettled whether, and if so when, cyber operations not causing significant loss of life, injury or physical damage amount to a use of force. Obviously, any COVID-19-related cyber operation that places a significant number of individuals directly at risk of becoming ill or dying would qualify, so long as attributable to a state. Arguably, so too would a cyber operation resulting in any serious illness or death. In this regard, recall that Prime Minister Theresa May asserted that Russia’s 2018 non-lethal poisoning of Sergei and Yulia Skripal was an unlawful use of force.
COVID-19-related cyber operations also directly implicate the human rights to life and health that are protected by customary international law and numerous treaty provisions, such as Article 6 of the International Covenant on Civil and Political Rights (ICCPR), Article 12(1) of the International Covenant on Economic, Social and Cultural Rights and Article 2 of the European Convention on Human Rights. Pursuant to international human rights law (IHRL), states have an obligation to both respect and protect these rights.
The term respect means that state activities must not place the enjoyment of life and health at risk, at least absent legal justification under IHRL. To be justified, the state’s action must be provided for by domestic law and necessary to achieve a legitimate purpose, and the interference with the right must be proportionate to that purpose.
Human rights tribunals and bodies have not yet dealt with a situation involving cyber activities that threaten life or health. Nevertheless, the UN Human Rights Committee has indicated that the right to life “should not be interpreted narrowly”. Thus, it could be argued that intentionally providing misinformation to the population violates the obligation to respect life and health by placing both at serious risk. Examples might include falsely dismissing the dangers of the virus, as has occurred in Brazil, Nicaragua and Turkmenistan, and intentionally promoting ineffective treatments, as occurred in Madagascar.
Yet, the prohibition is most likely to be implicated by remotely conducted cyber operations into another state’s territory against its medical or public health capabilities, as has occurred. If these operations can be attributed to a state, then the question becomes whether human rights obligations are extraterritorial, such that the state conducting them violates the human rights of those affected in other countries. Unfortunately, the question remains unsettled in law, although the trend is clearly in the direction of extraterritorial application.
International Law Obligations
Under general international law, states shoulder an obligation to ensure that cyber operations causing serious adverse consequences with regard to the rights of other states are not conducted from or though their territory. The legal status of this “due diligence” obligation is somewhat unsettled, with some states taking the position that it is an established rule of international law, while others have only gone as far as styling it as a voluntary non-binding obligation. The better argument is that it is a legal obligation, as it is in the non-cyber context.
By this rule, a state learning of hostile cyber operations from or through its territory against medical capabilities or public health activities in another state is obligated to take all feasible measures to put an end to those operations if they would violate the sovereignty of the target state, constitute intervention into its internal affairs, amount to a use of force, violate the rights of individuals on that state’s territory (assuming IHRL obligations apply extraterritorially) or violate other rules of international law with serious consequences. This obligation extends to cyber operations conducted by both third states and non-state actors.
States also have a positive obligation under international human rights law to protect the rights to life and health of individuals on their territory. The obligation is both customary and appears in treaty law, such as Article 2(1) of the ICCPR. On this basis, states are obligated to take feasible measures to end malicious cyber operations, regardless of who is conducting them, that place the health of individuals on their territory at risk. This obligation further requires states to take feasible measures to promote accurate COVID-19 information.
Combating misinformation is somewhat more complicated because states have an IHRL obligation to respect the exercise of freedom of expression on their territory, an obligation that can even protect false information in certain cases. Nevertheless, they may take action against misinformation when it endangers the population if the limitations in question comply with the requirements cited above. It is important to emphasise the importance of freedom of expression during a pandemic, for freedom of expression, particularly on the part of the press, is perhaps the most effective counter to misinformation by the government itself.
Publicly characterizing malicious cyber operations targeting medical capabilities or public health activities, or endangering the health of individuals, as violations of international law is overdue. Yet few states have done so, notable exceptions being the Netherlands, Australia and the supporters of a proposal before the UN’s Open-ended Working Group. Others must act responsibly by following their lead immediately. Of course, doing so is no panacea but it is indisputable that naming and shaming will have a degree of deterrent effect on states that violate international law. Moreover, COVID-19 related cyber operations that violate international law open the door to responses that would otherwise be unavailable, particularly countermeasures (responses that would be unlawful but for the fact that they are designed to compel an attacker to end its own unlawful cyber operations). In extreme cases, a victim state may even resort to force in self-defence, pursuant to Article 51 of the UN Charter. As this pandemic marches on, it becomes increasingly insufficient for states to simply condemn hostile cyber operations without calling them out for what they are – blatant violations of international law.
* This article highlights key facets of research into the subject undertaken together with Professor Marko Milanovich. The full results of this research will be published in the Journal of National Security Law and Policy.
Featured image: credits to Markus Spiske
About the Author
Michael Schmitt is Professor of International Law at the University of Reading; Charles H. Stockton Distinguished Scholar in Residence at the US Naval War College; Francis Lieber Distinguished Scholar at West Point; Strauss Center Distinguished Scholar at the University of Texas; NATO CCD COE Senior Fellow; and Director of Legal Affairs for Cyber Law International.