Cyber Operations by Private Actors in the Ukraine-Russia Conflict: From Cyber War to Cyber Security

Introduction

Media attention to the ongoing Ukraine-Russia conflict has focused on a significant number of hacking and malware attacks by private actors, described in this Insight as cyber operations.  As an example, the pro-Russian hacker group CyberBerkut has assumed responsibility for cyber operations against NATO, the vote counting system for Ukrainian elections, and a mobile device within the U.S. vice-president’s delegation during a visit to Ukraine.[1]

CyberBerkut does not mention support by Russia.  Similarly, several security companies have found Russian roots in a number of cyber operations, without explicitly alleging Russia’s involvement or revealing the identity of their clients.  In March, security company BAE systems (U.K.) alleged the involvement of “committed and well-funded professionals” from within the Moscow time zone in the use of malware Snake against Ukrainian computer systems.[2]  Media reports during the year also reported the use of Snake against the Belgian Ministry of Foreign Affairs to access documents on the crisis in Ukraine.[3]  In September, F-Secure (Finland) reported use of malware BlackEnergy by the Russian cybercrime gang Quedagh against the Ukrainian government.[4]  In October, FireEye (U.S.) reported malware attacks by Russian hacker group APT28 against Eastern European governments. FireEye found consistency between the targeted information and Russian interests and identified malware code in Russian written during working hours in Moscow and St. Petersburg.[5]

These recent developments reveal difficulties in applying traditional public international law rules and principles regarding state responsibility to cyber operations. Implicit attribution of cyber operations to Russia by media and security companies cannot substitute for the formal task of finding proof of involvement by Russia under international law.[6]  This Insight reveals the challenges that arise in attributing to Russia cyber operations in the Ukraine-Russia conflict on the basis of the Articles on State Responsibility (ASR)[7] and the Tallinn Manual on the International Law Applicable to Cyber Warfare (Tallinn Manual).[8] At the same time, a shift in the discourse from cyber war to cyber security is evident from the surrounding events and commentary.

The ASR and the Tallinn Manual

The ASR were adopted in 2001 by the UN International Law Commission, which promotes the codification and progressive development of international law.  Although the ASR involve both a codification and progressive development,[9] they are not easily applicable to cyber operations.

In 2009, the NATO Cooperative Cyber Defence Centre of Excellence, an international military organization, invited an international group of experts to clarify “complex legal issues surrounding cyber operations,” more particularly regarding sovereignty, jurisdiction, state responsibility, jus ad bellum, and jus in bello or international humanitarian law (IHL).[10]  The group included technical experts, legal practitioners, and academics, representing think tanks, universities, and military organizations. Russia was not represented. The outcome of the experts’ work is the 2013 Tallinn Manual, which contains “rules” reflecting a consensus amongst the experts regarding currently applicable law governing cyber conflict, including consideration of how the ASR translate to a cyber context. Acting in their personal capacity, the experts recognized the lack of well-developed treaty law and state practice in relation to cyber operations; the Tallinn Manual therefore articulates differing positions among them.[11]

Attribution of Cyber Operations by Private Actors to a State

ASR article 5 provides a first basis for attributing conduct by private actors to a state, providing that the conduct of a person or entity empowered by law to exercise elements of governmental authority “shall be considered an act of the State under international law, provided the person or entity is acting in that capacity in the particular instance.”  As article 5 covers the scenario of private contractors that exercise public functions,[12] the Tallinn Manual includes as examples falling within article 5 a private entity empowered to undertake cyber intelligence (electronic gathering of political or military information) and a private corporation authorized by a state to conduct offensive computer network operations against another state.[13]  Russian empowerment or authorization of hacker groups and cybercrime gangs seems lacking in its conflict with Ukraine.

The Tallinn Manual also mentions private contractors in relation to ASR article 8, which provides that “[t]he conduct of a person or group of persons shall be considered an act of a State under international law if the person or group of persons is in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct.”  The Tallinn Manual considers article 8 particularly relevant in a cyber context, applicable to private companies or citizens contracted or called upon by a state to conduct cyber operations against other states.  Article 8 would, however, not apply to private citizens conducting cyber operations on their own initiative (so-called hacktivists or patriotic hackers).  Hacker groups in the Ukraine-Russia conflict may qualify as patriotic hackers, but cybercrime gangs may be more profit-driven.

It is difficult to prove that Russia has “effective control” over these groups, which is the threshold set by the International Court of Justice (ICJ) in the Nicaragua case[14] for attributing conduct under ASR article 8.  According to the Tallinn Manual, effective control goes beyond the mere encouragement or expression of support for the acts of non-state actors and beyond the mere provision of hacking tools to insurgent groups that choose to act against another state.[15]  Yet, the Tallinn Manual concludes that a use of force arises from “providing an organized group with a malware and the training necessary to carry out cyber attacks against another state.”[16]  Thus, Russian provision of malware and training to a group for use against another state could constitute effective control for the purposes of ASR article 8 as elaborated in Nicaragua.

The Tallinn Manual indicates that “the provision of cyber attack tools for rebel use” is insufficient to meet the lower threshold of “overall control” established by the International Criminal Tribunal for the former Yugoslavia (ICTY) in the Tadić case for classifying an international armed conflict under IHL.  The ICTY reserved the application of the “overall control” test for “organized and hierarchically structured groups,”[17] described in the Tallinn Manual as coordinated groups that specify cyber targets, share attack tools, and conduct cyber vulnerability assessments.[18]  Cybercrime gangs may well meet the required level of organization, but overall control by Russia would depend on its involvement with the targeting by the gang.  For the ICTY, the requisite level of control goes beyond financing and equipment to participation in planning and supervision.  The Tallinn Manual regards overall control as arising from the provision of “specific intelligence on cyber vulnerabilities that renders particular rebel cyber attacks possible.”[19]

ASR article 11 provides another basis for attributing conduct by private actors to a state: the acknowledgement and adoption by a state of the conduct of private actors as its own.  For the ICJ, this goes beyond mere factual acknowledgement, approval, or endorsement of private conduct.[20]  The Tallinn Manual applies article 11 to a state that supports non-state actors conducting computer operations against another state and that “uses its cyber capabilities to protect the non-State actors against counter-cyber operations.”[21]  To date, Russia has not publicly supported cyber operations by private actors in its conflict with Ukraine.

The Shifting Discourse from Cyber War to Cyber Security

Some scholars have observed that most cyber operations relate not to cyber war but to cyber security, with commentary therefore focused on state responsibility to prevent cyber conduct by private actors rather than on attribution of such conduct to a state.[22]

Rule 5 of the Tallinn Manual provides that a “State shall not knowingly allow the cyber infrastructure located in its territory or under its exclusive governmental control to be used for acts that adversely and unlawfully affect other States.”  This rule is inspired by the ICJ’s Corfu Channel judgment of 1948, holding that a state may not knowingly allow its territory to be used for acts contrary to the rights of other states.[23]  Whereas the Tallinn Manual addresses sovereignty only in connection with jus ad bellum and jus in bello, the Corfu Channel case arguably provides a basis for tackling cyber operations beyond the scope of cyber war: so-called “cyber security” threats.

Tallinn Manual 2.0, scheduled for 2016, will further explore the application of the principle of sovereignty in a cyber context, examining cyber security threats under “the law of State responsibility, the law of the sea, international telecommunications law, space law, diplomatic and consular law, and, with respect to individuals, human rights law.”[24] With respect to human rights law, Russia’s accession to the first international treaty on cybercrime, the Council of Europe’s Cybercrime Convention,[25] could stimulate cooperation with the United States and European countries on these matters. International consensus may also develop through ongoing discussions between Ukraine and the U.S. on their cooperation in the fight against cybercrime.[26]

About the author: Gertjan Boulet is a Ph.D. candidate in Law at the Vrije Universiteit Brussel (Free University Brussels, Belgium). He is a member of the Research Group on Law, Science, Technology and Society.