Immediately following this May’s “WannaCry” ransomware cyber-attacks, the United Kingdom’s National Cyber Security Centre (NCSC) speculated that the hacker group “Lazarus”—believed to have ties to the North Korean government—launched the operation. In a statement released Tuesday, the British government made public its assessment that “it is highly likely that North Korean actors known as the Lazarus Group were behind the WannaCry ransomware campaign.” The statement followed on the heels of a Wall Street Journal editorial by Thomas Bossert, assistant to the president for homeland security and counterterrorism, in which he acknowledged that the United States ascribes the operation to North Korea. At a subsequent White House briefing on Tuesday, Bossert, although failing to name the Lazarus Group, confirmed:
After careful investigation, the United States is publicly attributing the massive WannaCry cyberattack to North Korea. We do not make this allegation lightly. We do so with evidence, and we do so with partners. Other governments and private companies agree.
Bossert cited the United Kingdom, Australia, Canada, New Zealand, and Japan, and Microsoft was singled out as one of the companies that have apparently come to the same conclusion. With the culprit officially named, it’s time to explore the legal issues raised by the WannaCry campaign and the subsequent claim that North Korea was behind it.
The Legal Character of the Operation
“WannaCry” affected between 230,000 and 300,000 computers in over 150 countries by encrypting computer files and demanding $300 in crypto currency from users in order to restore access. The operation exploited a software vulnerability in systems running older versions of Microsoft Windows that had not installed up-to-date security patches.
A variety of companies, including FEDEX, Renault, Telefonica and Deutsche Bahn, were affected. Hardest hit, however, was England’s National Health Service (NHS England). According to a National Audit Office report, the attacks affected at least 81 of the 236 NHS “trusts”—components of the NHS serving either geographic areas or performing specialized functions. An additional 603 primary care facilities were impacted. Many NHS staff could not access their files and therefore were unable to retrieve or update patient records, while thousands of pieces of medical equipment were locked. Countless medical appointments, and even surgical procedures, had to be cancelled. Many patients needing immediate care were diverted to providers unaffected by the ransomware attacks.
According to the report, NHS England “was not the specific target” of the operation. Rather, it appears to have been indiscriminate. For instance, over 1,000 computers of the Russian Interior Ministry were compromised, as was 25 percent of India’s Andhra Pradesh police department network.
Assuming that the ransomware attacks were attributable to North Korea, a topic discussed below, the question is whether the operation breached any international law obligations North Korea owed another State, such that it constituted an “internationally wrongful act.” In cases involving States, the international law rules most likely to be violated are the prohibition on the use of force, the prohibition on intervention into other States’ internal or external affairs, the obligation to respect the sovereignty of other States, and the obligation to exercise due diligence.
There is general agreement that destructive operations or those that are injurious cross the use of force threshold, and thus constitute a violation of Article 2(4) of the UN Charter and customary international law; the WannaCry operation did not appear to reach this level.
Whether non-destructive and non-injurious cyber operations can qualify as uses of force is unsettled. In the absence of State practice and opinio juris, it is difficult to determine if and when States will treat them as such. The experts who prepared the Tallinn Manual 2.0, a comprehensive study on how international law applies to cyberspace, suggested factors that States are likely to consider when making these assessments, but were unable to articulate any bright line test. Nevertheless, in our view, hostile cyber operations of a significant scope and scale that disrupt the provision of healthcare could reasonably be viewed as a use of force. By contrast, we believe it unlikely that States will treat non-destructive cyber operations directed against or affecting private firms as uses of force absent at least a major disruption of the national economy.
The WannaCry attacks raise an interesting question of law that is not fully resolved in the cyber context. The extent to which the attacks were directed at particular entities is unclear. But, assuming for the sake of discussion that the attacks were indiscriminate, could they nevertheless qualify as uses of force vis-à-vis States that might have suffered qualifying consequences? In our view, they could, so long as the nature of the consequences was foreseeable, even if the attacker may not have known precisely where they would manifest. We hasten to add that this issue remains unresolved.
Although a number of the WannaCry attacks could arguably be treated as uses of force, the same is not true with respect to the prohibition on intervention into other States’ internal or external affairs. Intervention has two elements. First, the act must relate to the target State’s domaine réservé (field of activity that is not committed to international law regulation). Certain WannaCry attacks did so, particularly those affecting law enforcement. However, the operation arguably did not satisfy the second criterion, that the act be coercive. A coercive cyber operation is one that causes a State to engage in conduct in which it would otherwise not engage, or refrain from conduct in which it would otherwise engage. WannaCry was disruptive, but not coercive in this sense.
The WannaCry attacks might, however, be considered a violation of the sovereignty of certain affected States. There is an ongoing debate over whether respect for another State’s sovereignty is a primary rule that imposes a legal obligation or is instead merely a legal principle from which primary rules, such as the prohibitions on intervention and the use of force derive (see here, here, and here). Although we support the former position, this is not the place to resolve the matter.
Whatever the correct answer, the Tallinn Manual 2.0 experts concurred that a violation occurs whenever a cyber operation either causes damage to cyber infrastructure in another State or interferes with an inherently governmental act, the paradigmatic example being the conduct of elections. Most of them also agreed that “damage” includes a permanent loss of functionality or one that requires physical repair of the damaged infrastructure, such as replacement of the hard drive.
That does not appear to have occurred this time. Instead, the WannaCry effects fall into a grey zone in which the threshold for violation remains unsettled. We are of the view that the operation did in some respects violate the sovereignty of a number of States, particularly in light of the significant disruption of functions, which we would count as “damage,” necessary for the delivery of medical care. Moreover, the operation interfered with an inherently governmental function—law enforcement.
A final possible internationally wrongful act is North Korea’s failure to abide by its due diligence obligation, which obliges States to put an end to ongoing cyber operations from their territory that have “serious adverse consequences” for other States’ rights. Thus, if North Korea is not legally responsible as described below for the Lazarus Group’s hostile cyber operations, it might nevertheless have been in breach of its due diligence obligation if it knew of the operation and failed to act to end it. It must be cautioned that a number of States are assessing the contours of this obligation in the cyber context and thus it remains somewhat controversial.
The Attribution Issue
Pursuant to the law of State responsibility, an internationally wrongful act not only requires a breach of an obligation owed by one State to another, but also attribution of the underlying act to the former. This begs the question of whether the WannaCry operation may be attributed to North Korea as a matter of law. North Korea, for its part, denies any link with the operation.
Little definitive evidence has been released supporting the conclusion that North Korea, through the Lazarus Group, was behind the WannaCry attack, although an internal assessment by the National Security Agency concluded that “cyber actors,” suspected of being “sponsored by” North Korea’s Reconnaissance General Bureau, were responsible for developing the WannaCry ransomware.
As confirmed by Article 8 of the International Law Commission’s Articles on State Responsibility, “[t]he conduct of a … group of persons shall be considered an act of a State under international law if the … group … is in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct.” The terms “instructions,” “direction,” and “control” are legally abstruse (see here). Nevertheless, in an oversimplification, the State should either have charged the group with conducting the cyber operation in question or it must exercise “effective control” over the group such that it is acting on the State’s behalf.
Thus, attribution is a two-step process. First, it must be shown that the Lazarus Group conducted the operation. Second, the relationship between the group and North Korea must be established at the level of instructions, direction, or control. Unfortunately, it is difficult to tease loose these two analytical strands from the limited material available, for public accounts tend to conflate them.
In this regard, several high-profile cyber-attacks have been attributed to the Lazarus Group, including the 2014 attack on Sony Pictures and the 2016 attack against Bangladesh Bank. In the former case, the FBI determined that the North Korean government was responsible. Its conclusion was based, in part, on “similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks” that “North Korean actors previously developed,” “significant overlap between the infrastructure used in [the Sony] attack and other cyber activity the U.S. government has previously linked directly to North Korea,” and “similarities” in “the tools used” to an earlier cyber-attack against South Korean banks and media outlets. As to the latter, Kaspersky’s forensic analysis “strongly link[ed]” the malware used to Lazarus’ malware arsenal, while Symantec found a “rare piece of code” that was also found in the Sony attack.
Similarly, Bossert noted at the Dec. 19 White House press briefing that the U.S. assessment attributing the WannaCry attack to North Korea was based on “technical links to previously identified North Korean cyber tools, tradecraft, [and] operational infrastructure.” These included routines used by “intermediaries” carrying out attacks “on behalf of the North Korean government in the past.” Symantec also conducted a forensic analysis of the WannaCry operation and found “strong links” to the Lazarus Group based on similarities to malware used in previous attacks. Exercising caution, though, Symantec stated that “the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign.”
It would seem that a strong consensus has developed that the Lazarus Group conducted the WannaCry attacks and that the group has ties to the North Korean government. But whether those ties are sufficient to meet the Article 8 threshold cannot be established from open sources. Nor can the more demanding other bases for attribution of non-State actor cyber operations—that the group is a de facto State organ (Article 4) or exercises elements of governmental control (Article 5)—be established.
Finally, Kristen Eichensehr has perceptively noted that the 2015 report of the UN Group of Governmental Experts, a body composed of representatives from 20 countries including the P5, suggested that “accusations of organizing and implementing wrongful acts brought against States should be substantiated.” It must be emphasized, however, that the statement was hortatory; as the Tallinn Manual 2.0 experts concluded, “although doing so may be prudent in avoiding political or other tensions, insufficient State practice and opinio juris (in great part because cyber capabilities are in most cases highly classified) exist to conclude that there is an established basis under international law for such an obligation.”
Bossert’s editorial asserted that the U.S. “will continue to hold accountable” hackers “who harm or threaten” us “whether they act alone or on behalf of criminal organizations or hostile nations.” This echoes the just-released U.S. National Security Strategy, which makes the imposition of “swift and costly consequences on foreign governments, criminals, and other actors who would undertake significant malicious cyber activities” a national priority.
In terms of active defense (primarily “hack backs”), there are three core options beyond simple retorsion (actions that are unfriendly, but lawful, such as a counter-cyber operation that does not breach any legal obligation to the target State). First, an “injured” State may take “countermeasures,” actions that would be unlawful but for the fact that they are in response to another State’s unlawful cyber operation and designed to terminate it or compel the “responsible State” to make reparations. As the WannaCry attacks have ended, countermeasures are now only available to compel North Korea to make reparations, such as a “guarantee” in the form of breaking up the Lazarus Group or providing compensation to injured States.
Second, a State may act based upon the plea of necessity (Article 25 of the Articles on State Responsibility) to end a harmful cyber operation that poses a “grave and imminent peril” to an “essential interest” of the State, even if the response might otherwise violate an international law obligation to a State that is not responsible for the operation. The precise meaning of “essential interest” is ambiguous, but it certainly would include the population’s health, as with WannaCry’s effects in England. A particular benefit of the plea is that attribution to a State is not a precondition for acting. However, like countermeasures, the plea is only available to put an end to the harmful cyber operations, and accordingly would no longer be available in this case.
Finally, a State may act in response to a cyber operation that qualifies as an “armed attack” pursuant to the customary international law right of self-defense, which is also codified in Article 51 of the U.N. Charter. As with the use of force, the armed attack threshold is unsettled in the cyber context, although the prevailing view is that, consistent with the judgement of the International Court of Justice in Nicaragua, an armed attack is a particularly grave use of force (the U.S., by contrast, maintains that the use of force and armed attack thresholds are identical). We believe it is unlikely that States would characterize the consequences of the WannaCry attack as rising to the armed attack level, thereby justifying a response at the use of force level. And, as with the aforementioned responses, the fact that the attacks have definitively ended would mean a response on the basis of self-defense would run afoul of its “immediacy” criterion.
The views expressed are those of CDR Fahey in his personal capacity and do not necessarily reflect those of the U.S. Coast Guard or Department of Homeland Security.
Image: Mark Wilson/Getty