Cyberoperations against healthcare providers and testing facilities are thriving in the U.S. and beyond. An unsuccessful act against the U.S. Department and Health and Human Services was intended to undermine the administrations’ response to the current crisis. Operations against several Czech Hospitals and the Paris Hospital Authority attempted to disable networks of healthcare providers and testing facilities, which further impacted the delivery of health services. Numerous other unsuccessful hostile cyberoperations received less attention from the press.
Existing international law protects healthcare providers against cyberoperations more comprehensively during war than during peacetime. Diverse and ambiguous positions of states, sometimes even complete silence of relevant authorities, may send a message of impunity to malicious intruders and to potential future wrongdoers. The impunity that seems to follow these hostile acts creates a different type of harm. This article aims to identify the justifications for states’ hesitation or passivity to respond to low-scale cyberoperations, that don’t rise to the level of the use of force, in particular during the current pandemic.
Attribution
Attribution is a sine qua non condition for invoking state responsibility in case of transboundary cyberoperations and for justifying a response consistent with international law. While factual attribution addresses the reasonable certainty of determining the responsible state or proxy for a particular operation, legal attribution defers to the law of state responsibility. Experts have argued that “attribution is what states make of it.” The purposes of public attribution can include public outreach (outlining standards of behavior), coercion (disarming malicious actors by exposing their intelligence), and deterrence (creating onerous legal repercussions and discouraging repetition by same or other wrongdoers). The ultimate attribution goals often depend on the incurred or potential damage, which frequently limits the resources and the time invested into investigations. Although states are not required to present the intelligence they relied upon when making attribution determinations, a rationale highlighted by the US and the UK, some sort of evidence is usually expected. Nevertheless, in absence of a common standard of proof and transparency about the extent of evidence underlying attribution, categorical determinations which justify legitimate responses are rare. To date, no customary international law rule indicates the acceptable or necessary “level of attribution,” i.e. level of certainty for establishing state responsibility for cyber actions. The Tallinn Manual 2.0. (Rule 80) leaves this challenging coordination to states’ discretion.
Until a few years ago, states were reluctant to openly attribute cyberacts to other states. More recent coordinated public denouncements of responsibility demonstrate a shift from past trends. The evolution of collective responses is relevant for future approaches to “collective countermeasures,” which are currently widely regarded as being incompatible with international law. Several recent efforts evaluate the practicalities of creating an international attribution mechanism for state-sponsored cyber operations against foreign targets.
It is important to clearly differentiate between cyberoperations which are governed by domestic law and transboundary actions which are subject to international law. In an effort to avoid classical consequences of formal attribution, some “derivatives” of typical attribution procedures have emerged. First, “attribution by indictment” capitalizes on domestic criminal law provisions, which states enforce transnationally in order to outline an expected behavior in cyberspace. Secondly, although international law legitimizes only states to use countermeasures, governments do not have a monopoly on the accusation function. Targets have no legal grounds to develop hack-back operations in response to cross-border cyberoperations, but they are allowed to pursue private attribution, whereby potentially erroneous attribution entails low political risks.
The question is therefore, why healthcare providers which were targets of recent cyberoperations refrained from “naming and shaming.” Although the most evident reason might be lack of evidence and capabilities to identify the intruders, targets often prefer to disclose limited information on their sources, methods, vulnerabilities, and on the incurred damage, for example regarding leaks of private data. Another explanation is lack of coordination with state authorities, although in the past, US officials have been open to receiving notifications prior to public disclosures or information-sharing for private attribution of state-sponsored cyberoperations.
Foreign Affairs
This widespread sense of impunity for malicious cyberoperations has driven some states to support regional and global efforts for cyber deterrence and accountability of wrongdoers. Endeavors towards transparency and clarification on application of international law can be observed in Estonia, France and the Netherlands, as well as in the UK, which detailed its exposure and response mechanisms. A slightly different perspective was shared by the US, which adopted in 2018 the doctrines of “persistent engagement” and “defend forward”, emphasizing the role of the military in conducting intelligence operations for collecting and disruption of malicious cyber activity.
Outlining standards of behavior is particularly important in the context of attribution. Public attribution, especially if it takes place in a coordinated fashion among nations, has the potential to articulate shared understandings of prohibited behavior in cyberspace and to contribute to deterrence of future operations. However, at this stage, no formal attribution has been made publicly for any of the recent hostile cyberacts against medical facilities.
The political aspect of attribution includes assessment of physical, financial, or reputational damages, and a wide range of public policy and strategic implications. To name a few, states are aware that public statements have significant implications in terms of their normative commitments, both for creation of customary international law, and regarding governments’ future positions. States’ silence is also determined by fears of exposing their own vulnerabilities, offensive or defensive capabilities, and even jeopardizing deterrence, and national security strategies. Lack of transparency regarding the investigations of cyberoperations, as was also the case during recent incidents, is often criticized, because it hampers identification and development of state practice.
Public expectations to follow up on attribution with robust responses or countermeasures are relevant decision-making factors. While weak responses, such as delayed public attribution or symbolic sanctions against wrongdoers, might create domestic contempt, international tension generated by solid responses, and risks of cyber escalation discourage governmental attributions in the first place. In addition to vague government reactions, recent hostile operations in the Czech Republic, France, Germany, and the US, interfering with delivery of healthcare services also demonstrated lack of transparency and trust of victim hospitals and their reluctance to share information.
Some law enforcement agencies are developing their own hacking programs to track down malicious actors and computers. Secret cyber-exfiltration operations, being conducted without host countries’ consent, raise serious questions of legality and potential violation of other states’ sovereignty, a position already endorsed by the European Parliament. Although they might be valuable for attribution purposes, these efforts may trigger disruptive foreign relations implications and escalation under an alleged justification of anticipatory self-defense. Ideally, investigation and attribution processes rely on cooperation with foreign states under the 2001 Council of Europe Convention on Cybercrime, although the practical disclosure challenges persist.
Consequences of Responses and Sanctions
I have recently analyzed international law rules applicable to state-sponsored cyberoperations against medical facilities and possible reactions to unlawful state practices, originally developed for responses to non-cyber means. States can use inter alia, mechanisms for international cooperation, means of peaceful dispute settlement, and employ acts of retorsion, including the “naming and shaming” practice. If the harmful act represents a violation of international law, and can be attributed to a state, states can engage in peaceful countermeasures. The purpose of countermeasures must be the return a situation of lawfulness. In the current context the practical benefices of countermeasures are hampered by foreign policy considerations, concerns on proportionality, and the uncertainty regarding the threshold of the use of force. An armed attack under jus ad bellum can activate the victims’ right to engage in self-defense. To date, no state has publicly outlined its response within the international law framework of countermeasures or invoked the right to self-defense in response to cyberoperations.
At their core, sanctions are policy tools able to change, limit, or criticize in normative terms the behavior of another actor. While coercion is clearly regarded as the main purpose of a sanction regime, constraint and signaling disapproval to different audiences also play a significant role. The coordination of sanctions with other foreign policy tools, security and trade instruments, remains the recipe of their effectiveness, a highly controversial feature of sanctions. States’ prudence can also be explained by probable escalatory effects of sanctions and their long-term consequences, as well as potential indirect consequences which are often hard to predict. The flexibility of sanction regimes is particularly relevant for the cyber domain, as a perfect transposition of sanction regimes from the kinetic world is still highly debated. While US administrations started in 2014 to respond to harmful cyberoperations, the efficiency of the 2019 EU cyber sanctions regime was not yet tested.
Although the deterrent effects of attribution and responses developed for the physical world are debated, recourse to these reactive measures reflects an increased state recognition of international law rules in cyberspace. Recent condemnation of hostile cyberoperations against healthcare and testing facilities by the EU, the UK, and Estonia, is an important step ahead. Without specifying the type of intended consequences, US Secretary of State Pompeo suggested that the US is prepared to take collective action with allies against cyberattacks threatening human lives, a position very much welcomed in the international security community. Public condemnations are very important, but clear association of hostile acts with the specific international law rule that was violated will bring additional normative value, and contribute to a common understanding as to the applicability and interpretation of specific rules of conduct in cyberspace.
Uncertain Application of International Law to Cyberspace
As primary architects of international law, states are prudent when taking public positions on evidence and responses relating to cyberoperations. The vagueness of these declarations mirrors the fragmented interpretation and application of international law rules and norms to cyberspace, including with regard to the Tallinn Manuals. States are even more reluctant to publicly denounce cyberoperations which don’t meet the threshold of the use of force, or which have limited to no physical consequences. This approach could be exploited by hackers who try to minimize effects to be “below the threshold” of an armed attack, as was the case in the recent cyberoperations against hospitals. States and nonstate actors who employ cyber tools recognize the improbability of solid state responses, especially of a kinetic response. These unfortunate events offer states the context to shape and express positions on controversial issues, such as the threshold of an armed attack, the scope of cyber due diligence and of “critical state infrastructure.” These are fantastic opportunities for building the bricks of customary law, interpretation of existing principles, and articulation of “norm-making laboratories,” such as the Tallinn Manuals, especially because conversations on specific cases are regarded to be more successful than abstract legal conversation.
Human Rights Law
Numerous scholars analyzed the compatibility of past US, UN and EU sanctions against natural and legal persons with international human rights instruments. Several international bodies, such as the Courts of Justice of the EU, the UN Human Rights Committee and the European Court of Human Rights addressed legality of targeted sanctions in several cases and concluded that limiting freedom of movement and the right to dispose of one’s property, may infringe human rights safeguards, especially regarding compliance with due process. Whether states’ reluctance to respond more firmly to cyberoperations can be attributed to concerns regarding human rights repercussions and critiques related thereto, is questionable. The U.S. has signed, but has not ratified the American Convention on Human Rights and the International Covenant on Economic, Social and Cultural Rights. While it ratified the International Covenant on Civil and Political Rights, the U.S. has argued that the Covenant does not apply extraterritorially, i.e. when it acts against foreign nationals abroad, as it is the when applying targeted sanctions.
A Widespread Sense of Impunity
Cyber attribution is a sophisticated exercise, especially given the technical features of evidence and absence of a commonly agreed standard of proof. Uncertain attribution practices affect the legitimacy of legal action and often lead to impunity of cybercriminals. The normativization process in cyberspace is constant, but repetitive, and recent trends show political will to operationalize existing international law. Recent hostile acts against healthcare facilities demonstrated the need to pair evolution of existing international law rules and norms with trust and accountability. In this respect, calls for a growing role of the UN Open-Ended Working Group (OEWG) are very justified. Following the Netherlands’ assertive submission in preparation for the next group session, the OEWG should capitalize on its mandate to coordinate state views to achieve a stable and secure cyberspace. The Geneva Conventions were drafted in the aftermath of a devastating war. Perhaps, the silver lining of recent malicious cyberoperations is the opportunity for states and multilateral fora to clarify application of international law, endorse norms, and assert their credibility on the international landscape.
Adina Ponta is currently the Detlev F. Vagts International Law Fellow at the American Society of International Law. Prior to that, she worked in the legal offices of two NATO headquarters, where she advised on the lawful conduct of armed forces during conflict and peacetime military operations. She has an LL.M. in international law and a Ph.D. in business and technology law.
Note: This article does not reflect the views of the American Society of International Law or its members.
Suggested citation: Adina Ponta, Hostile Cyberoperations Against Medical Facilities and Their Impunity, JURIST – Professional Commentary, May 22, 2020, https://www.jurist.org/commentary/2020/05/adina-ponta-hospital-hostile-cyberoperations/.
This article was prepared for publication by Tim Zubizarreta, JURIST’s Managing Editor. Please direct any questions or comments to him at commentary@jurist.org
